DDoS Protection Services

Incapsula: Cloud based DDoS Protection Service

When your web site is under threat of attack, or even actually under attack, Incapsula’s cloud-based DDoS protection service can be rolled out rapidly, is highly cost-effective, and demands no hardware or software installation.

Incapsula protects against all types of DDoS attacks:

Volume Based Attacks

Incapsula has a global scrubbing network that scales on demand to absorb and deflect multi-gigabyte DDoS attacks.

Protocol Attacks

Mitigating protocol attacks and blocking “bad” traffic before it reaches your site, Incapsula differentiates between legitimate website visitors (human or bot) and malicious or automated clients.

Application Layer Attacks

Constantly monitoring site visitor behavior, Incapsula blocks known bad bots, and challenges unrecognized visitors with cookie challenge, JS test, and CAPTCHAs when necessary.

Implemented Outside Your Network

Most importantly, DDoS Protection Services from Incapsula are implemented outside your network. This means that only filtered traffic reaches your hosts - protecting your investment in hardware, software, and network infrastructure, while simultaneously ensuring the continuity of your business.

Incapsula also features an extensive DDoS threat knowledge base. Constantly updated, Incapsula keeps track of new and emerging attack methods - identifying new threats as they emerge, detecting malicious users, and applying remedies in real-time.

Incapsula DDoS protection, DDoS attack mitigatedIncapsula mitigates 100GBps DDoS attack. One of Internet's largest.

DDoS Protection Hosting – Not Always Sufficient

Some web sites choose DDoS protection hosting to mitigate the risks of a DDoS attack. DDoS protection hosting providers have already invested in the expensive equipment, including DDoS protection hardware, necessary to absorb DDoS traffic. That said, this mitigation method has serious limitations in efficacy, and is markedly more costly than traditional hosting.

DDoS protection hosting is usually offered in two permutations:

Dedicated

Dedicated DDoS protection hosting can be costly, and may lack the ability to scale sufficiently in the event of an actual DoS attack.

Renting

Rental plans are by definition limited by the specific capacity of the hosting plan, and moreover by the actual total hosting provider capacity.

The biggest drawback of DDoS protection hosting is in the inefficient way it handles Protocol and Application Layer DDoS attacks.

These attacks, which try to mimic legitimate traffic, are best dealt with by smart identification techniques. DDoS protected hosting will not be able to mitigate these attacks by identification and instead will try to "swallow-up" the extra bandwidth they create. Even if successful, this is never as cost-effective as the alternative identification methods. One way or another, all this extra bandwidth will come at a cost and this is a cost which could be minimized or even entirely avoided.

IPTables DDoS Protection

"The question to ask when you look at security is not whether this makes us safer, but whether it’s worth the trade-off.”

Bruce Schneier

Another, somewhat recent, trend in DDos protection advocates the useage of Linux IPTables to mitigating DDoS attacks. The idea here is to identify and block attacking IPs. For example, blocking all IPs with excess rates of UDP queries per second. The definition of "excess rate" may vary, and it can also be modified as needed. All blocked IPs are generally added to a blacklist file, and based on that, the IPTables chain is generated.

But while IPTable DDoS Protection may sound good on paper, the reality is somewhat different. Humorously this method could be compared to curing a disease by killing the patient. After all, blocking suspicious IPs will also block all incoming traffic coming from those IPs - including customers and other legitimate visitors. In today’s IP-scarce web, many thousands of people may be using any given IP at a given time – some legitimate, some not. In this enviroment, using such rudimentary IP blocking techniques is simply asking for trouble.

Even for those unfazed by the posibility of blocking legitimate visitors, IPTables protection methods have other inherited disadvantages. For example, many DDoS attacks will use IP spoofing to get around simplistic DDoS protection schemes and this will making IPTables protection almost totally ineffective. Moreover, multi-node DDoS attacks, in which each IP supplies only a small number of requests (usually set under normal threshold) go completely undetected by the IPtables method.

Free DDoS Protection?

Simply put, this is an extinct animal. Effective DDoS protection services are not free. Some are extremely expensive and less effective, some are highly-effective and reasonably priced (ike Incapsula) – and some fall somewhere in the middle of this range - but none are free.

DDoS attacks target system assets. Any effective DDoS mitigation scheme must therefore involve additional system assets (i.e. bandwidth). And more bandwidth always comes at some expense.

It is true that simplistic solutions like IPTables are nominally “free.” However, they are only “free” if you don’t count the administrative overhead of setting up and maintaining them, the lost revenues from blocked legitimate traffic, or the staggering costs of system downtime when sophisticated attacks circumvent them.