14 Great Questions about Infrastructure Protection

At our recent webinar, “Protect Gaming and Betting Sites from Downtime,” attendees asked many questions about how the infrastructure protection technology works. From BGP, GRE tunnels, DDoS mitigation and other topics, Imperva Incapsula covers many infrastructure protection areas.

Q: I already have a WAF. Do I still need infrastructure protection?

A: The Incapsula web aplication firewall (WAF) protects your website against critical web application security risks, such as SQL Injection, Cross-Site Scripting, Illegal Resource Access, Remote File Inclusion and other OWASP Top 10 threats.

However, a WAF only protects your web applications, not your non-web assets such as critical infrastructure (e.g.,email, FTP, proprietary protocols, etc.). To protect these against network-layer attacks, you must have either the entire subrange or each IP protected using Infrastructure Protection.

Q: To be able to get Infrastructure Protection, do customers need to have at least a C-class IP range?

A: Incapsula uses BGP routing to enable Infrastructure Protection, which requires an entire class IP range. BGP routing-based mitigation provides complete origin protection against direct-to-IP assaults for your network infrastructure.

In the event of a DDoS attack, Incapsula advertises all server IP range announcements (instead of your ISP). This ensures that all traffic directed toward the affected IP range is inspected and filtered by Incapsula before reaching your infrastructure, effectively preventing direct-to-IP attacks.

Q: Don’t BGP routing and GRE tunnels always work as a pair?

A: BGP routing is used to forward all traffic to the Incapsula network, and this is done when Incapsula publishes and advertises the protected IP ranges. A GRE tunnel, on the other hand, is used to securely connect between Incapsula scrubbing servers and the customer infrastructure.

However, for Infrastructure Protection for Individual IPs, customers receive a protected IP address from Incapsula, which inspects and filters all incoming traffic to that address. A redundant, secure, two-way GRE tunnel is then used to forward clean traffic to the origin IP and return outbound traffic from the application to users.

Q: So, for Infrastructure Protection for individual IP addresses, if I have the GRE tunnel piece, I don’t need the BGP routing component?

A: Exactly—and because you don’t need BGP routing, you don’t need the entire C-class IP range.

Q: Does Infrastructure Protection include protecting gaming systems, such as EA Sports or Blizzard, in addition to online betting and gambling sites?

A: Infrastructure Protection is equally applicable to gaming and online gambling sites. Most of the inherent vulnerabilities intrinsic to gaming and betting sites, such as EA Sports and Blizzard, apply. These include sensitivity to latency, custom protocols devoid of built-in security, predictable rush hours and so forth. Since Incapsula solution protects individual IPs—regardless of protocol—it’s ideal for online gaming, as well as gaming and betting sites.

Q: Can I just buy a DDoS mitigation appliance and put it in front of my gaming server?

A: Technically, you could do that if you have a typical data center, but then you would be limited by the size of the pipe. If under attack, you would pay for all the bandwidth being consumed, and you could be null-routed. The irony is that this scenario plays right into the hands of attackers. Also, a hardware-based approach is not scalable.

A better solution is to block traffic upstream of the ISP. Also, with the migration of most businesses to the cloud, it makes more sense to have a cloud-based service that doesn’t require onsite hardware, software and the expertise required to manage and run an appliance.

Q: What do you mean by blocking upstream traffic?

A: An appliance is downstream from an ISP, sitting in front of your server. All traffic coming from the ISP to the server is untreated. Either one or both of these two things can happen:

  • DDoS assaults get pushed straight to you, in which case you have to pay for all the excess bandwidth consumption.
  • The ISP could simply drop your IPs, making your website unavailable.

Relying on an appliance is clearly not an appropriate solution.

By blocking upstream traffic, you’re able to protect the traffic before it reaches your ISP. With a cloud-based protection service such as Incapsula, all traffic is inspected and scrubbed in our network before it gets to the ISP; you get only clean traffic. You won’t ever have to pay for extra bandwidth nor run the risk of downtime. A cloud-based service like Incapsula minimizes bandwidth costs while improving both security and performance.

Q: Is infrastructure protection an always-on or on-demand solution?

A: Infrastructure Protection using BGP is an on-demand solution. To complement this offering, we have a 24/7 external monitoring service complements that alerts you to DDoS attacks so you can quickly reroute traffic through Incapsula for mitigation.

Infrastructure Protection for Individual IP Addresses is an always-on solution, so Incapsula detects and blocks attacks without requiring any involvement from the customer.

Q: What is the benefit of having this offering always-on, as opposed to only during an attack?

A: The critical aspect always comes down to time to mitigation—the period it takes from initially identifying an attack until being able to actually mitigate it. As long as the latency induced by using a service is minimal or non-existent, an always-on, 24/7 security product minimizes your time to mitigation—with no downtime.

Q: What is the effect on performance if traffic has to pass through your network?

A: There is only minimal effect on latency. That’s because with Incapsula’s Infrastructure Protection, a GRE tunnel is established between the customer’s infrastructure and the Incapsula scrubbing center in closest physical proximity to them.

And with Incapsula’s globally distributed network of strategically located scrubbing datacenters, the customer’s network is never far away.

Q: Can a DDoSer detect that the Incapsula service is in place?

A: It really depends on what mechanism you’re using.

For this specific solution (Infrastructure Protection for Individual IP Addresses) the attacker can see your gaming service is using an Incapsula IP address. Since our reputation against DDoS attackers is well known, this may very well be a deterrent in and of itself.

Q: How long does it take Incapsula to identify an attack and block it?

A: Our time to identify and block an attack is minimal. Our solution is in always-on mode; it automatically identifies attacks and almost immediately starts blocking them. You can expect to realize a time-to-mitigation of a few seconds—as opposed to minutes or hours with other solution types.

Q: What can I do to secure both the gaming server and my website?

A: The Incapsula solution is a suite of products that addresses both security and performance concerns. In addition to providing DDoS protection, it’s built on an industry-leading web application firewall.

While denial of service attacks are thwarted, our WAF protects against spam bots, cross site scripting, SQL injections and other security breach attempts to which your website is otherwise exposed. With the Incapsula cloud-based solution, you can protect your gaming server while securing your website at the same time.


To listen to the webinar “Protect Gaming and Betting Sites from Downtime,” including the Q & A, check out the complete recording.

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.