DDoS attacks are increasing in scale and you certainly want the best protection from an attack since it can restrict access to or even bring down your site. As with most products you purchase, there are choices with varying quality and associated costs. The choices to identify DDoS attacks and block such attacks are:
- A clean pipe from your ISP that utilizes a traditional on-premises device to block the attacks.
- A cloud service that identifies and blocks the attacks before it reaches your network of servers
Say you are shopping for an alarm system to protect your home. The options could range from the simplest DIY alarm to a professionally installed system from an alarm company that will guarantee notifying the police so they arrive at your home very soon after the alarm is triggered. Based on the value of the assets in your home, you will choose whether to spend more to receive better protection.
There are a number of considerations in choosing your solution and we will examine each to understand their benefits. The analogy to the alarm system demonstrates the choice in each case.
Time to Mitigate
Obviously you want (and need to) block the attack as soon as possible. Even a short attack, prior to detection and mitigation, can overwhelm your capacity and block access to your legitimate users.
Clean pipes, which rely on manual human intervention, typically take up to 30 minutes to identify and start to block the attack. Incapsula DDoS protection, with packet inspection, identifies and begins to block the attack typically in <1 second.
You choose how quickly you want that alarm company to respond to a break-in.
The size of DDoS attacks is increasing, with a recent 650 Gbps (Giga bits per second) DDoS flood attack reaching more than 150 Mpps (million packets per second). Clean pipes simply cannot cope with an attack of that size, even with a few such devices used for protection. The main reason is because clean pipes can’t scale.
An appliance device which clean pipes utilize can handle up to about 40 Gbps and 10-20 Mpps. The Incapsula protection network can scale to protect over 3 Tbps (Tera bits per second) and over 30 Gpps (billion packets per second), which is many multiples larger than any attack to date.
You choose whether to hire an alarm company that has sufficient personnel to respond to multiple break-ins in your area.
A combination of attack vectors can be combined in a DDoS attack, in parallel or sequentially. The attacker can, for example, combine a TCP packet attack with a UDP packet attack. Clean pipes require time to identify each of these vectors, increasing the overall time to mitigate. Incapsula DDoS protection recognizes the combined attack, with no increased mitigate time.
Your protection solution must be active at all times to ensure full coverage. Clean pipes offered by your ISP provider do not come with a service level agreement (SLA) guaranteeing a percent uptime. Incapsula provides five nines (99.999%) uptime SLA with its protection network.
You choose an alarm company that has an SLA commitment for responding to a break-in.
Incapsula provides detailed real-time and historical information about your attack traffic flows, which includes:
- Data resolution of 3 seconds on the real-time dashboard
- Data resolution of 15 seconds on the historical dashboard
- Email or SMS notifications of attacks
Clean pipes do not provide this level of information.
You choose whether you want monitors that will display the health of your alarm system and the exact entry point of a break-in.
Incapsula provides 24/7 support from its dedicated NOC, with experienced support engineers. They can handle your questions and issues at all hours to ensure that your protection is performing as expected. For example, they will assist you when you need to activate on-demand protection.
You choose whether to hire an alarm company that will respond any time of day if your alarm system malfunctions.
Unlike the clean pipe from your service provider, Incapsula protection is developed in-house from the ground up and is not based on third party software. It is built by engineers tailored to the exact needs of Incapsula customers and provides advantages such as:
- Questions and issues are addressed directly by the Incapsula engineers and not dependent on additional delays waiting for responses from the third party. If a fix is needed, it can be deployed quickly.
- The software is up to date and does not have to wait for the next release of the third party software.
You choose whether to purchase that off-the-shelf system or an alarm system developed by your alarm company.
The Incapsula solution consists of these two levels that protect you whether you have a C-class subnet or not:
- Infrastructure protection based on BGP routing, for or customers who have one or more /24 prefixes
- IP protection that protects an individual IP address
Choosing the appropriate DDoS solution comes down to the value you place on having your sites completely protected at all times. As with other products, there might be additional costs to purchase the best quality option. As we’ve listed, Incapsula protection is clearly superior in many ways.
Have more questions about Incapsula technology? Leave us a comment.