09
Jul
2014
5 Security Tips for E-commerce Websites

Small e-commerce sites are often the target of attacks, with hackers taking advantage of companies without the dedicated security staff and expertise of a company that’s in the top half of the Fortune 500. And while breaches at smaller companies may not make the headlines (if they are detected at all), the number of small ecommerce sites – the long tail – provides a tempting volume of sites to attack.

Those who wonder how they can possibly protect themselves when eBay couldn’t, take heart. The root of the attack on eBay seems to have come from an easy-to-prevent vulnerability, and the cloud has brought with it affordable security solutions that would have been out of reach for small businesses just a few years ago.

Read more »

01
Jul
2014
New Data Center Goes Live in Atlanta Georgia

We are happy to announce the activation of a new Point of Presence (PoP) in Atlanta, Georgia - our 5th new data center to go live in 2014.

Located in the Equinix AT2 facility, our new PoP augments Incapsula’s presence in Southeast USA by further improving connectivity in one of our highest demand areas.

Atlanta's multi 10Gig data center also contributes to Incapsula's overall resilience against volumetric DDoS attacks. With it, Incapsula's total network capacity now reaches 710+ Gbps - more than enough to handle even the largest volumetric DDoS threats.

Read more »

23
Jun
2014
Who Says Behemoths Can’t Dance? Building an Agile 170Gbps DDoS Mitigation Appliance

Today, there is a lot of work being done to separate the Data Plane from the Control Plane, and to make the Data Plane more dynamic by allowing it to identify "flows". These flows are based on information about source and destination ports, source and destination IPs or subnets, and protocols being used.

The practice of flow identification enables granular decision-making on the Data Plane, using technologies like Openflow or FlowSpec, to actually achieve a generic (and flow aware) Data Plane that can handle large packet loads.

From a DDoS mitigation point-of-view, the ability to make flow-related decisions is a huge improvement, but it’s still not enough. To ensure a low level of false positives, there is no alternative but to do actual protocol analysis, including handling streams with packet modification and generation (think SYN cookies, DNS protocol content, and TCP segmentation)...

Read more »

17
Jun
2014
New Data Center Goes Live in Auckland, New Zealand

A few days ago we activated our newest data center, located in Vocus Communications’ facility in Auckland, New Zealand.

This new location enables us to comply with New Zealand’s national data privacy regulations. With it, we are now able to meet the needs of local website operators who expressed their interest in Incapsula’s security and acceleration services, on the condition that the inbound traffic is routed through a local Point of Presence (POP).

Read more »


05
Jun
2014
OpenSSL Man in the Middle (MITM) Flaw Fixed

Yesterday OpenSSL released a fix for seven security vulnerabilities, including a serious flaw (CVE-2014-0224) that enables man-in-the-middle (MITM) attacks, potentially allowing the attacker to decrypt and modify traffic from the attacked client and server.

We immediately responded with a network wide update, protecting our servers and all of our clients from these security issues.

It should go without saying that we advise all OpenSSL users to apply the patch as soon as possible.

Read more »

28
May
2014
Complete Infrastructure Protection with DNS DDoS Mitigation and GRE Tunneling

Today we are announcing two major upgrades to Incapsula’s security services, which significantly extend the range of Incapsula’s award winning anti-DDoS solutions.

The first of these is a DNS Protection service. As the name suggests, this solution safeguards our clients’ DNS servers, while also accelerating DNS responses.

The second is our Infrastructure Protection service, enabled by the addition of a GRE tunneling onboarding option.

This new service allows us to widen Incapsula's security perimeter to a point where Incapsula can be used to protect entire subnets, secure all network elements and inspect all TCP/UDP communication.

The underlying technology powering these new services is our custom-built scrubbing hardware (codenamed “Behemoth”). Each of these appliances can process 170Gbps worth of traffic, performing deep packet inspection, filtering, tunneling, and routing.

Read more »

12
May
2014
DNS Flood of 1.5 Billion Requests a Minute, Fueled by DDoS Protection Services

Several days ago one of our clients became the target of a massive DNS DDoS attack, peaking at approximately 25Mpps (Million packets per second). The attack fit the description of other recently reported DNS floods, like the one that brought down UltraDNS earlier this month.

Interestingly enough, the DNS queries contained non-spoofed IP data that allowed us to uncover the attacker’s true points of origin.

When we did, we were surprised to learn that the malicious requests were originating from servers of two other anti-DDoS service providers – one based in Canada, the other in China.

All told, these were hitting our network at a rate of 1.5 Billion DNS queries a minute, amounting to over 630 Billion requests during the course of the 7 hour-long DDoS attack...

Read more »

07
May
2014
Sharing Our Plans: 30 Data Centers by EOY

Today we want to share our network expansion plans for 2014.

With the first quarter behind us, and with three new data centers already in place, We are excited to announce our commitment to doubling Incapsula’s network size - expanding from 16 to 30 Points of Presence (POPs) by the end of the year.

With these new data centers we expect Incapsula’s overall network capacity to surpass 1.5 Tbps. Plus, each of Incapsula’s POPs will be upgraded to cache 30 times more than its current capacity by adding new border switches with increased port density.

Read more »

08
Apr
2014

Update: April 10

We are now reissuing all SSL certificates together with our two CA providers – Comodo and GlobalSign, in order to eliminate any risk of private key leakage. Most of our certificates have already been reissued and the whole process is expected to complete within the next 24 hours. The reissuing process is conducted behind the scenes and requires no further action from our clients.

Extensive testing we conducted failed to demonstrate the possibility of private key compromise, except under the most contrived scenarios. However, we concluded that the risk does exist for any certificate deployed on OpenSSL over the past two years, given the fact that the vulnerability has been around since March 2012.

We have further approached our customers using custom SSL certificates about re-issuing their certificates. We believe it is advisable for all other OpenSSL users to do so as well.

Read more »