Search Blog for

Three Tiers of DDoS Protection

Three Tiers of DDoS Protection

DDoS attacks are one of the greatest threats facing your IT infrastructure in the modern business world. Today’s DDoS attacks are more sophisticated and diverse than ever before; a simple one-dimensional threat protection platform is no longer enough to provide you with the level of support you need.

This is why Incapsula has introduced two new tiers of protection-infrastructure and DNS-to our existing web application defense offering. These new tiers combine to offer complete protection from all DDoS attacks, no matter where they may be targeted. The following is a quick overview of how the tiers function.

Tier One: Web Application Protection

Web application protection has been the basis of the Incapsula DDoS mitigation services for years; all its capabilities our customers have come rely on continue are a part of our three-pronged solution.

The Incapsula web application protection operates on an ‘always-on’ mode, offering an instant, automated response to all DDoS threats. This solution uses a content delivery network (CDN) and web application firewall to process incoming web traffic. Additionally, IP masking protects against direct-to-IP DDoS attacks.

Infrastructure DDoS Protection

The Incapsula global CDN is capable of handling high-volume DDoS attacks, such as GET floods. This solution reroutes all incoming web traffic through our network, first scrubbing out malicious traffic, and then sending legitimate traffic through to your website with no latency.

During the inspection process, our award-winning traffic inspection technology lets us identify and block all malicious bot activity without detaining your website’s legitimate visitors.

Tier Two: DNS Protection

DNS server attacks are one of the newer ploys perpetrators are using. Disabling or crippling DNS means IP addresses won’t resolve, effectively denying access to your servers. The Incapsula DNS protection service is also always-on, helping to identify and block attacks targeting DNS servers, no matter where they occur.

Infrastructure DDoS Protection

Our solution provides a hardened DNS server that sits in front of your organization’s DNS server. All incoming DNS queries are filtered through the Incapsula server, while you still have the flexibility to manage your own DNS environments outside of our network.

DNS protection is supported by the Incapsula global data center network that responds quickly to all DNS queries. This service adds an additional layer of security on top of our web application protection offering.

Tier Three: Infrastructure Protection

Increasingly, attacks are now being mounted against origin servers and other elements of core infrastructure — not just HTTP.

Our newest offering is based on border gateway patrol (BGP) routing. When an attack is detected, the client makes a BGP announcement. In turn this makes Incapsula the source of all incoming traffic, allowing our service to filter out malicious DDoS requests on-edge. After filtering, all legitimate traffic is securely passed on to your enterprise network using GRE tunneling, ensuring uninterrupted service for legitimate users.

Infrastructure DDoS Protection

Our Behemoth scrubbing servers, in charge of filtering duties, are extremely resilient and able to handle even the largest high-volume DDoS attacks-including UDP, SMTP, and SYN floods.

The twist is that the Incapsula solution also relies on the robust deep packet inspection (DPI) capabilities of our new Behemoth servers. Using proprietary technology, these identify and block malicious packets based on the most granular of details. This new technology lets us inspect all attributes of each incoming packet, while serving hundreds of gigabits of traffic at an inline rate.

The Incapsula infrastructure protection solution can be activated on the fly, ensuring that your company is always ready for a DDoS attack, no matter when it occurs. That this solution relies on GRE tunneling ensures blanket compatibility; Incapsula can address a wide variety of protocols and protect numerous types of network appliances and cloud environments.

To learn first-hand how our three-tiered approach provides superior protection against divergent DDoS attacks, take advantage of our free trial offer today.