New 10 Second SLA For Rapid DDoS Mitigation


Two months ago, we updated the Imperva Incapsula SLA (service level agreement) to guarantee network and application layer DDoS attack mitigation in under 10 seconds.

This commitment sets a new standard for time to mitigation (TTM), made possible by improvements to our DDoS mitigation technology and processes.

In this post, we explain the importance of TTM and the solutions that now enable the mitigation of all DDoS attacks within seconds.

Why Every Second Matters

When it comes to DDoS mitigation, the rule of thumb is “moments to go down, hours to recover”, i.e., the length of an attack doesn’t always correlate with an enterprise’s recovery time.

This is because a successful DDoS attack creates a ripple effect, influencing multiple enterprise segments far beyond IT operations.

The impact is mostly felt by sales, support and marketing, who are charged with communicating the situation to customers, the media and potential buyers.

The security team is also likely to go into “alert mode” and hunt for traces of malicious activities (e.g., data theft) that might be executed under the smokescreen of a DDoS attack.

No matter the scenario, the bottom line remains the same—if allowed to break through, even a brief DDoS attack can end up costing your organization tens of thousands of dollars in man-hours, lost business and reputation damages.

This is not lost on bad actors, who have recently taken to launching short DDoS bursts (e.g., pulse wave attacks) to rapidly penetrate an organization’s security perimeter and cause a series of short-lived downtimes for maximum accumulated damage.

Pulse wave DDoS attack

The existence of such threats and the dire implications of DDoS induced downtime is why rapid mitigation is so important when dealing with DDoS attacks.

Breaking Down Time to Mitigation

Time to mitigation is technically defined as the period from when the first DDoS attack packet hits your system to when your mitigation provider begins scrubbing incoming traffic.

TTM varies among service providers and is largely dependent on the time taken to execute the following steps:

  1. Detection – The speed with which a mitigation service notices that a DDoS attack is taking place.
  2. Sampling – The time taken to analyze traffic flows and create directives for scrubbing.
  3. Scrubbing – The ongoing process of filtering out malicious traffic, based on patterns identified during the sampling process.
DDoS mitigation stages

DDoS mitigation stages


 There are a number of factors influencing how quickly these steps can be completed.

For example, detection times correlate with the frequency with which NetFlow logs are exported and the level of detail (sampling rate) they provide. The number of nodes in an attacked network is also a factor, as multiple logs have to be compiled to create a single clear picture.

Always-On 10 Second Mitigation

Incapsula offers always-on mitigation for web sites. This removes the need for the traffic diversion and allows the system to speed through detection and sampling in just a few seconds.

Rapid detection and sampling is made possible by:

  1. The robust processing capabilities of our mitigation solutions.
  2. Our network’s ability to exchange real-time traffic data.
Real-time exchange of attack information across multiple datacenters

Real-time exchange of attack information across multiple datacenters


1. Robust Processing

Network layer assaults are mitigated using our Behemoth 2 (BHv2) scrubbers—fully automated mitigation appliances capable of inspecting 650 million packets/440 gigabits per second, enough to immediately detect any attack.

Once detected, the large amount of sample data the appliances can instantly pull up from the traffic flow allow for the creation of scrubbing directives in milliseconds.

Application layer attacks are mitigated on the proxy level, where the detection and sampling processes are just as immediate. This is because the total processing power of our proxy network scales well up into millions of RPS (requests per second).

2. Real-Time Exchange of Information

Our ability to rapidly mitigate attacks is supported by a network of real-time synchronization (RTSYNC) servers. Deployed across the Incapsula network, the sole purpose of these machines is to broadcast traffic data to their many nodes.

The benefit of this system is that it detaches the exchange of traffic data from all other, less urgent communication types (e.g., configuration change propagations).

With this “fast lane” in place, all proxies and scrubbing servers can instantly alert one another about an attack that they detected and share scrubbing signatures. As a result, scrubbing usually commences in under a second from the moment the first attack packet reaches any Incapsula node, regardless of attack type.

The other nine seconds allowed by our SLA are only there to provide us with a safety margin in case of an atypical attack scenario.

More to Come

The Imperva Incapsula 10-second SLA represents a new standard in time to mitigation and our ability to maintain site uptime when faced with any DDoS attack.

We have a number of other response time updates in the pipeline, including one that improves time to mitigation for on-demand customers, which we look forward to unveiling in the near future.

Until then, let us know what you think about our new SLA in the comments below.