Search Blog for

Top to Bottom DDoS Mitigation — New DNS and Infrastructure Protection

Top to Bottom DDoS Mitigation — New DNS and Infrastructure Protection

Today we are announcing two major upgrades to Incapsula security services, which significantly extend the range of our award winning anti-DDoS solutions.

The first of these is a DNS Protection service. As the name suggests, this solution safeguards our clients’ DNS servers, while also accelerating DNS responses.

The second is our Infrastructure Protection service, enabled by the addition of a GRE tunneling onboarding option.

This new service allows us to widen the Incapsula security perimeter to a point where Incapsula can be used to protect entire subnets, secure all network elements and inspect all TCP/UDP communication.

The underlying technology powering these new services is our custom-built scrubbing hardware (codenamed “Behemoth”). Each of these appliances can process 170Gbps worth of traffic, performing deep packet inspection, filtering, tunneling, and routing.

DNS Protection

In recent months we’ve witnessed a resurgence of DNS DDoS floods. Two of the most common scenarios are massive NXDomain and massive DNS Query floods, mutated out of proportion through misuse of high-capacity servers.

The rate at which these attacks are evolving now threatens even the most resilient DNS services and this is exactly where our ‘DNS Protection’ comes into play.

Now, through a simple 30-second verification process, our clients can turn Incapsula into their authoritative DNS server while still continuing to manage their zone file outside of our network.

With ‘DNS Protection’ in place, Incapsula becomes the destination for all incoming DNS queries, which are scrubbed on their way to the origin.

For added precision, Incapsula users can set their own custom thresholds, with different values provided for the more likely-to-be-legitimate ‘safe’ queries (e.g.,

Users can also manually enforce DNS cache freshness by electing to refresh all cached data or by selectively refreshing cache for specific DNS records.

Custom Settings - DNS DDoS Flood Thresholds

An interesting byproduct of this setup is that it also significantly speeds up all DNS communication.

Thus, with all of the Incapsula anycast-connected data centers pushing DNS data upstream, the entire network acts as one ‘mega-resolver’ — always serving DNS queries from the closest available geo-location.

Core Infrastructure Protection via GRE Tunneling

Our new ‘Infrastructure Protection’ service allows clients to virtually integrate the Incapsula anti-DDoS solution into their network infrastructure, in a way that will provide complete protection from all DDoS threats.

With ‘Infrastructure Protection’ we can extend Incapsula DDoS protection to entire subnets, securing FTP and email servers and mitigating direct-to-origin attacks, as well as other direct attacks on crucial components of our clients’ infrastructures.

On-Demand Overprovisioning

‘Infrastructure Protection’ is offered as a non-intrusive solution, which can be activated on demand, in a matter of seconds.

Complete Infrastructure Protection with GRE Tunneling

To onboard, the operator simply needs to open a GRE tunnel to one (or more) of the Incapsula new ‘Behemoth’ scrubbing servers — each providing an additional 170Gbps worth of network ‘muscle’, just when it’s needed the most.

With the setup complete, the defending network starts publishing all IP prefixes through Incapsula. This causes all incoming traffic to arrive through the Incapsula cloud where it’s inspected and cleansed, prior to being forwarded through a clean network pipe. At the same time, all outgoing requests will continue to be routed as usual via the customer’s ISP.

Behemoths on the Data Plane

As mentioned, our new anti-DDoS features are enabled by massive ‘Behemoth’ scrubbing servers, built from the ground up by our R&D team.

Don’t let the name fool you, these “beasts” are not only massive, they are also extremely intelligent. In fact, their main purpose is to provide us with the granular visibility and flexible data plane programmability, required for non-disruptive DDoS mitigation.

With their additional filtering options and accurate packet inspection capabilities, these ‘Behemoth’ servers effectively counter the rapidly evolving DDoS threats. In addition, each of these high-capacity servers also contributes to the overall resilience of the Incapsula system, as we prepare for the terabit scale DDoS attack.

Looking to learn more about Incapsula DDoS Protection services?
Email us or join us for an upcoming Live Webinar.