Our third and final announcement for today is a new service that allows more organizations to benefit from Incapsula DDoS protection solutions.

This new feature overcomes an innate router limitation that restricts the deployment of BGP-enabled protection to users with at least an entire Class C IP subnet.

IP subnets explained

This minimum requirement prevents owners of smaller networks, with less than 256 IP addresses, from employing this method of providing network-layer DDoS mitigation.

This restriction also limited Incapsula’s own ability to offer our Infrastructure Protection service, which provides network layer DDoS protection and is an integral component of our comprehensive, three-part DDoS protection solution.

The new feature changes all of that, giving us the option to provide network layer DDoS protection for a single IP address.

This enables users to deploy Incapsula DDoS protection service to defend all types of environments, including:

  • Cloud environments (e.g., AWS, Azure)
  • Gaming servers (and other devices using proprietary protocols)
  • Individual networked devices and origin servers

We expect that this newfound ability to will make Infrastructure Protection the go-to option for organizations with smaller networks looking for a robust, versatile, and cost-effective DDoS mitigation solution.

How it Works

When you join this service, Incapsula will assign you an IP address from our own IP range for routing traffic.

A GRE tunnel is then established between your origin servers (or routers/load balancers) and the Incapsula network. Once in place, this tunnel is used to route clean traffic from our network to your origin, and vice versa.

You then broadcast the assigned IP addresses to your users via DNS, making these your nominal “origin” addresses.

Going forward, all incoming traffic flows through the Incapsula network, is inspected by our Behemoth scrubbers, and then forwarded to the origin via your GRE tunnel. Outgoing traffic also passes through Incapsula’s network.

IP-level DDoS protection - How it Works

Common Use Case: Protection for Gaming Servers

The gaming industry is a frequently attacked vertical, with gaming servers being popular DDoS targets. There are many financial and operational reasons that make gaming platforms an ideal DDoS target. These include:

  • Gaming servers are incompatible with HTTP/S proxy-based DDoS mitigation solutions, since they use proprietary protocols (usually UDP-based).
  • Gaming companies don’t usually own an entire Class C IP range, as well as requisite hardware needed to onboard a BGP-enabled DDoS protection service- the other practical alternative.

It all boils down to them being highly susceptible to the latency and availability issues caused by such attacks. To make matters worse, many gaming platforms don’t have a suitable DDoS protection solution, making them exceptionally vulnerable.

Now, with DDoS protection for individual IP addresses, gaming server operators can achieve the required level of protection that is also compatible with their current setup and capabilities.

This levels the playing field, allowing gaming companies of all sizes to focus on business growth while leaving Incapsula security experts to protect the fort.

Third Major Upgrade

Our new IP-level DDoS protection feature is the third major enterprise service update that we’re announcing today. The other two are:

The theme of this coordinated service upgrade is about enabling you to use the Incapsula system in new ways – and to do so from within your existing security solutions and workflows.

For more information about this new feature, or to sign up to be a part of our early availability program for our Infrastructure Protection for individual IPs feature click here and include “Infrastructure Protection Early Availability Program” in the comments field.


Would you like to write for our blog? We welcome stories from our readers, customers and partners. Please send us your ideas: blog@incapsula.com