Stop DDoS Attacks Before They Reach Your Network

DDoS_Protection from Infrastructure DDoS Attacks

Enabled via GRE tunneling and leveraging Border Gateway Protocol (BGP) routing, Imperva Incapsula Infrastructure DDoS Protection is an on-demand security service that safeguards critical network infrastructure from volumetric and protocol-based DDoS attacks. Powered by proprietary “Behemoth” scrubbing servers capable of mitigating 170Gbps of DDoS attacks per appliance that ensure the Incapsula network is never overwhelmed. Infrastructure DDoS Protection complements other CDN-based services from Incapsula to provide complete protection from all DDoS threats for all network protocols and internet-connected devices.

Key Capabilities

  • Incapsula Infrastructure DDoS Protection
    Infrastructure DDoS Protection
    • Blanket DDoS protection for all types of services (UDP/TCP, SMTP, FTP, SSH, VoIP, etc.)
    • Complements the web application protection provided by Imperva SecureSphere Web Application Firewall
    • GRE tunneling for seamless on-demand onboarding
    • DDoS protection for entire subnets or individual IP addresses
    • Complete protection against direct-to-IP DDoS attacks
    • Enabled by Incapsula "Behemoth" scrubbing servers
  • Infrastructure DDoS Protection for Subnets
    Scalable Cloud Based Security

    Infrastructure DDoS Protection helps you protect all elements of your critical infrastructure (e.g., Web, email, FTP) across entire subnet ranges.

    In the event of an attack, traffic is re-routed through Incapsula scrubbing centers using BGP announcements. From this point on, Incapsula acts as the “ISP” and advertises all protected IP range announcements.

    All incoming network traffic is inspected and filtered. Only legitimate traffic is securely forwarded to the enterprise network, via GRE tunneling.

  • Infrastructure Protection for Individual IP Addresses

    Using this unique deployment model, Incapsula brings the benefits of infrastructure DDoS protection to customers not having an entire Class C subnet. This always-on feature enables smaller organizations to protect multiple service types and protocols—even for a single IP address—without using BGP routing. Customers receive a protected IP address from Incapsula, which inspects and filters all incoming traffic. A redundant, secure, two-way GRE tunnel is used to forward clean traffic to the origin IP and return outbound traffic from the application to users.

    Single IP address protection is ideal for gaming servers and SaaS applications. These have high-traffic, critical non-HTTP assets with low IP counts, as well as cloud deployments in need of direct-to-IP attack prevention.


    The Incapsula 24x7 external monitoring service complements its on-demand infrastructure DDoS protection, alerting customers to DDoS attacks so they can quickly reroute traffic through Incapsula for mitigation. Through this service, Incapsula SOC experts use the Incapsula system to monitor and analyze NetFlow and sFlow statistics coming from protected routers and other network elements, detect anomalies that indicate a DDoS attack, and immediately notify customers based on their existing incident response workflows. External Monitoring helps protect online business assets round-the-clock, ensuring fast attack detection and mitigation triggering backed by an SLA.

  • Highly Resilient
    Cloud Based Security with DDoS Protection

    The Infrastructure Protection service is built on top of the Incapsula global network of high-powered data centers. Route advertisements are propagated from all data centers to create a “many-to-many” defense for preventing DDoS attacks.

  • Quick and Easy Implementation
    Easy Implementation of DDoS Protection

    Protection for entire subnets is enabled on-demand. With the GRE tunnel in place, BGP routing is used to activate and deactivate the service on the fly, allowing customers to quickly and easily respond to any type of DDoS attack.

  • Unhindered Visibility
    visibility and prevention of ddos attacks

    Legitimate incoming traffic passing through the Incapsula network is unaltered, ensuring that source IP address visibility remains intact. At the same time, all outgoing traffic is forwarded as normal to the ISP, minimizing the chance for any impact to regular traffic flow while preventing DDoS attacks.

  • Comprehensive Infrastructure DDoS Protection
    comprehensive dns protection from ddos attacks

    Infrastructure DDoS Protection is fully compatible with Incapsula Website and Name Server DDoS Protection services. Together these form the most robust DDoS protection offering on the market, able to deal with highly sophisticated DDoS threats and any possible DDoS-related security scenario.

  • Cost-Effective Infrastructure DDoS Protection

    The Incapsula Infrastructure DDoS protection service offers 24x7 protection against all DDoS attacks without the need for multi-gigabit Internet connections, or any additional hardware. Using Incapsula eliminates the setup and overhead costs associated with over-provisioning and deployment of additional on-premise appliances.