Imperva Incapsula

DDoS Protection

DA T A SH E E T

Automated Mitigation of the Largest

and Smartest DDoS Attacks
Imperva Incapsula secures websites against the largest and smartest types of DDoS
attacks—including network, protocol and application level (Layers 3, 4 & 7) attacks—with
minimal business disruption. Our cloud-based service keeps online businesses up and
running at high performance levels even under attack, avoiding financial losses and
What You Get serious reputation damage.

• Powerful backbone across globally

Incapsula service is built to handle the largest volume-based attacks, such as SYN flood
distributed data centers and DNS amplifications, and also mitigates sophisticated application layer attacks
• Specialized support of massive by implementing advanced and progressive challenge mechanisms. The service
SYN flood, DNS targeted, and DNS automatically and transparently mitigates DDoS attacks with minimum false positives, so
amplificiation attacks
that site visitors won’t know that the site is under attack.
• Advanced algorithms which mitigate
sophisticated application layer Incapsula DDoS Protection service includes real-time dashboards to monitor & analyze
attacks attacks as they happen and features a dedicated 24/7 NOC, manned by our experienced
• Real-Time dashboards to monitor security experts, in order to ensure enterprise-grade uptime SLA when under attack.
and analyze attacks as they happen
• Dedicated 24/7 NOC for enterprise-
grade uptime
• Support for anycast, unicast and
hybrid routing techniques for
effective DDoS mitigation.
• Infrastructure Protection enables
protection for entire subnets from
network layer attacks

1
 D ATASHE E T

Why Imperva Comprehensive Protection Against Any Type of DDoS Attack

Incapsula protects your website against all types of DDoS threats, including network-
Incapsula? based attacks, like Sloworis, ICMP or TCP & UDP floods, and application-level attacks
such as GET flood, that attempt to overwhelm server resources. The service detects
• Automatic always-on detection &
triggering of “under attack” mode and mitigates advanced attacks that exploit applications, web server, and DNS server
• Zero business disruption based on vulnerabilities, hit-and-run attacks and large botnet threats.
transparent mitigation with minimum
false positives
• End-to-end protection against the
DDos
largest and smartest DDoS attacks
• Activated by simple DNS change—no
hardware or software installation,
integration or changes to the website

Your Servers
Legitimate Incapsula’s
Incapsula Traffic Network

protects your DDos

website from
all types of Scalable High-Capacity Network to Handle Volume-Based Attacks

DDoS attacks: As the size of volume-based DDoS attacks such as SYN flood and DNS amplification
routinely exceeds 100 Gbps, organizations require robust network capacity to mitigate
• TCP SYN+ACK ever-growing assaults. With our global network capacity exceeding 1 Tbps (terabits
• TCP FIN per second), Incapsula is well-equipped to defend against even the largest volumetric
• TCP RESET barrages. Our always-on cloud service ensures that mitigation is applied outside your
• TCP ACK own network, allowing only filtered traffic to reach your host servers.
• TCP ACK + PSH
• TCP Fragment Intelligent Multi-Layer Protection
• UDP
Incapsula ISP grade edge routers are set to filter out and isolate immediately identifiable
• ICMP
malicious packets, such as DNS amplification and Martian packets. The rest of the traffic
• IGMP
is prioritized by Class of Service and distributed across the Incapsula scrubbing centers,
• HTTP Flood
each with multiple 10-Gig uplinks. Each Incapsula scrubbing center holds several
• Brute Force
interconnected, high-powered scrubbing clusters. These clusters are used for real-
• Connection Flood
time DDoS traffic profiling and blocking. When under attack, they seamlessly process
• Slowloris
incoming packets and HTTP sessions and use the Incapsula unique intelligent traffic
• Spoofing
profiling solutions and bot detection technology to accurately weed out malicious traffic,
• DNS flood
without affecting legitimate visitors.
• Mixed SYN + UDP or ICMP + UDP
flood
• Ping of Death
• Smurf
• Reflected ICMP and UDP
• Teardrop
• Zero-day DDoS attacks
• Attacks targeting Apache, Windows
or OpenBSD vulnerabilities
• Attacks targeting DNS servers
• And more…

2
 D ATASHE E T

Advanced Mitigation of Layer 7 Attacks

Incapsula visitor identification technology differentiates legitimate website visitors
Incapsula was able to (humans, search engines, etc.) from automated or malicious clients. This capability is
critical with respect to application layer (Layer 7) attacks, where the DDoS requests look
withstand the massive
like legitimate visitors. Unlike other DDoS protection services that are based on easy-to-
distributed denial-of-service evade and false-positive prone techniques (e.g., rate limiting or splash/delay screens),
Incapsula distinguishes between humans and bot traffic, between “good” and “bad” bots,
(DDoS) attack and keep and identifies AJAX and APIs. Legitimate bots, such as Google and Bing, continue to
the targeted website up access your website, even when it is under attack.

and running… DNS DDoS Protection

1/10/13 “LATEST 100 GIGABIT ATTACK IS Incapsula DNS DDoS feature protects DNS servers from targeted attacks, which is critical
ONE OF INTERNET’S LARGEST” for site availability. Just change your NS records to point to Incapsula, and all DNS
queries for the protected domains will be inspected and filtered for malicious traffic in
the Incapsula cloud, ensuring that only “safe queries” reach your origin DNS server. This
protects your server from direct DDoS attacks, as well as blocking attempts to use it as
a platform for DNS amplification attacks against other servers. In the event of an attack,
customers receive email alerts and GUI notifications.

Transparent Mitigation
Incapsula protects your site not only from complete denial of service, but also from
disruptions related to DDoS attacks, mitigation false-positives, etc. We offer transparent
mitigation with less than 0.01% false positives, and without degrading the normal user
experience in any way. This lets you enjoy true DDoS protection, even from lengthy
attacks, without disrupting business performance. Moreover, 99.99% of your legitimate
site visitors will not be impacted in any way by the attack, and will continue browsing
normally without annoying splash screens or delays.

Automatic Detection and Triggering

Incapsula offers automatic always-on DDoS mitigation, which is well-equipped to handle
“hit and run” attacks consisting of short bursts of traffic in random intervals over a long
period of time. This type of attack can wreak havoc with DDoS mitigation solutions that
need to be manually turned on and off on every burst. Automatic detection and activation
enables Incapsula to take full responsibility for both detection and mitigation of the attack.

Fast, Easy Onboarding—DNS-Based Routing

DDoS Protection can be rolled out without the need for hardware, software, integration
or web application code changes. Customers can provision this service simply by
changing their website’s DNS setting. This effortless deployment allows customers to be
protected in a matter of minutes while maintaining their existing hosting provider and
application infrastructure.

3
D ATASHE E T

Infrastructure Protection for Subnets

For enterprises that need to protect multiple service types and protocols across an entire
subnet range of destination IP addresses, Incapsula offers on-demand DDoS protection
based on BGP routing. In the event of an attack, traffic is re-routed through the Incapsula
scrubbing centers using BGP announcements. From this point on, Incapsula acts as the
“ISP” and advertises all protected IP range announcements. All incoming network traffic is
inspected and filtered, and only legitimate traffic is securely forwarded to the enterprise
network via GRE tunneling.
1.2.3.0/24
Protected
Subnets
DDos
BGP
Annoucement

Traffic flowing via GRE Tunnel

Customer
Incapsula during a Router
DDoS attack. BGP Incapsula’s Customer
Infrastructure
announcement Legitimate
Network
is used to route Traffic
protected subnets
through Incapsula
for mitigation.

Infrastructure Protection for Individual IP Addresses

Using this unique deployment model, Incapsula brings the benefits of infrastructure
protection to customers not owning an entire Class C subnet. This feature enables
smaller organizations to protect multiple service types and protocols—even for a single IP
address—without using BGP routing. You receive a protected IP address from Incapsula,
after which we inspect and filter all incoming traffic. A redundant, secure, two-way GRE
tunnel is then used to forward clean traffic to your origin IP and return outbound traffic
from your application to your users.
Single IP address protection is ideal for gaming servers and SaaS applications.
These have high-traffic, critical non-HTTP assets with low IP counts, as well as cloud
deployments in dire need of direct-to-IP attack prevention.

Traffic flowing via Incapsula’s IP

Incapsula during Address 1.2.3.4
a DDoS attack.
DDos
Customer traffic is
routed to an Incapsula
IP address, allowing
it to pass through GRE Tunnel
the Incpauls network
for cleansing before
Incapsula’s Customer
being forwarded over Infrastructure
a secure GRE tunnel Legitimate
Network
to the customer. Traffic

4
 D ATASHE E T

Collaborative Security
Incapsula protects websites using collective knowledge about DDoS threats, including
new and emerging attack methods. Using crowdsourcing techniques, this information
is aggregated across the entire service network, comprising thousands of websites, to
identify new attacks as they happen and to detect known malicious users. Based on this
information, mitigation rules can be applied in real-time across all protected websites.

Cost-Effective Cloud-Based DDoS Protection

Incapsula offers a cloud-based service that gives you 24x7 protection against DDoS
attacks without the need for multi-gigabit Internet connections and additional hardware
and operational costs. This eliminates the costs associated with over-provisioning
bandwidth and deploying additional servers and load balancing appliances on premise.
For enterprise plan customers, Incapsula assigns a personal account manager to act as a
single point of contact for all DDoS security needs.

World-Class Support by DDoS and Security Experts

The DDoS Protection service provides organizations with continuous monitoring and
mitigation by our battle-proven team of experienced Security Operations Center (SOC)
engineers. Our service includes proactive security event management and response,
continuous real-time monitoring, adept policy tuning, summary attack reports, and 24x7
technical support.

Learn more: imperva.com/incapsula

© 2015, Imperva, Inc. All rights reserved. Imperva, the Imperva logo, SecureSphere, Incapsula and Skyfence are 5
trademarks of Imperva, Inc. and its subsidiaries. All other brand or product names are trademarks or registered
trademarks of their respective holders. DS-DDOS-PROTECTION-0915-rev1
imperva.com