Photo found here: https://unsplash.com/photos/pulmB_ZkwJ4
Find out how Imperva technology covers entire networks and their subnets from network-based DDoS attacks.
In our recent webinar on the persistent threat of Distributed Denial of Service (DDoS) attacks, a user-submitted question asked how cloud-based DDoS mitigation works.
Unfortunately, we were not able to cover this topic in-depth at the time – it was brought up 43 minutes into a 45-minute webinar – but it remains an important part of what makes Imperva’s solution unique in the world of cybersecurity. It is a topic that deserves a more comprehensive treatment, particularly considering the growing threat that DDoS attacks represent in a world still gripped by a global health pandemic.
Why Choose a Cloud-based DDoS Mitigation Strategy?
Imperva is not the only cybersecurity provider to choose a cloud-based DDoS strategy. This approach has proven itself to offer better performance – and greater cost-efficiency – than traditional on-premises options for years.
Before diving into what makes Imperva’s DDoS approach special, we will cover some of the reasons why putting DDoS mitigation technology on the cloud is such a powerful idea.
One of the primary advantages that a cloud-based DDoS mitigation network offers is the ability to send clean, vetted traffic to customers exclusively from an ultra-secure selection of databases located around the world. This offers a number of distinct advantages:
Cloud-based Infrastructure Is Easier to Scale
Cloud-based DDoS Protection benefits from the same kind of scalability benefits that managed service providers offer their clients. This allows security vendors like Imperva to scale their mitigation resources according to threat profiles in real-time.
In a cloud-based DDoS mitigation environment, additional resources can be assigned to thwart a persistent, large-scale attack in mere seconds. In an on-premises environment, on the other hand, security processes are necessarily limited by the presence of on-site equipment.
As a useful analogy, imagine a fire department responding to emergency calls. A solely on-premises solution is comparable to a fire station that has to bring its own truck – and its own water – to the site of the fire. If the fire is big enough, there are simply not enough resources to respond effectively.
A cloud-based solution is more like what modern cities actually have – a network of pipes connected to fire hydrants that allow first responders to mobilize quickly and send the nearest available team to quench the fire. In this case, that team can use resources from all around the globe in an instant, if needed.
Cloud-based Infrastructure Reduces Activation Delay
One of the persistent problems with DDoS protection throughout the cybersecurity industry is activation delay – the amount of time it takes for an alert to be registered in the security system before it reaches a human analyst who can address it.
In a traditional on-site cybersecurity environment, there is a security operations center (SOC) that requires 24/7 human operation. If the SOC is properly staffed and catches suspicious activity, it still might take several minutes for the security analyst in charge to review the relevant data and make a decision. That delay time is critical – your network may already be under attack.
Unfortunately, even this best-case scenario is hard to find in the real world. There are simply too many open cybersecurity positions and too few certified professionals to fill them. Every vacant SOC position extends the activation delay time and creates an opportunity for DDoS attacks to become bigger and more destructive before they are caught.
Organizations that pool their resources by investing in large-scale cloud-based infrastructure are able to reduce their dependence on the availability of individual cybersecurity professionals. The scalable nature of the global cybersecurity network allows for a much broader scope, and far better results for every individual organization that contributes to it.
Cloud-based DDoS Mitigation Streamlines Client-side Traffic and Bandwidth
Imperva’s cloud-based DDoS mitigation service relies on 44 points of presence – purpose-built data centers located strategically around the world.
In a way, these data centers advertise our client’s assets on the web, using a variety of techniques like BGP routing or DNS updates. Any traffic destined for one of our client’s servers has to pass through one of our point-of-presence scrubbing centers. There, we verify the traffic’s legitimacy before sending it onwards to the client.
This makes it possible for DDoS Mitigation clients to enjoy clean, verified traffic coming from a trusted source. The result is simplified bandwidth and traffic infrastructure – if all of your incoming traffic has already been vetted and is coming from one of our trusted scrubbing centers, it is practically impossible to suffer the debilitating effects of a DDoS attack.
The practical benefit of this approach is that it hugely simplifies the client-side infrastructure capabilities required to do business. Access to client assets has to pass through Imperva infrastructure and be subject to Imperva vetting and reputation intelligence before it touches your servers.
What Makes Imperva’s DDoS Mitigation Approach Unique?
Imperva’s infrastructure protection uses techniques like deep packet inspection, baselining, rate limiting, reputation intelligence etc to determine the authenticity and validity of incoming traffic. It also extends this approach beyond a single customer or data center to encompass the entirety of Imperva’s global presence – effectively subsuming entire networks in the process.
This means that Imperva is capable of protecting entire networks and subnets from attack – and not just top-level attacks. Imperva has successfully blocked some of the largest Layer 7 attacks recorded in history, but it also maintains infrastructure capable of protecting against Layer 3 and Layer 4 attacks, which can be just as dangerous.
This degree of lower-level protection is invaluable when protecting entire networks. It enables Imperva’s DDoS mitigation technology to protect any online asset – from websites to DNS servers and SMTP servers alike. Lower-level protection with multi-terabit network capacity enables our solution to scrub and mitigate attacks to any IP-based application.
The core of this lower-level DDoS scrubbing service is a proprietary application called Behemoth. True to its name, this massive infrastructure solution provides packet level visibility and packet flow control to 24/7 operations center control teams, with one or more instances working in every Imperva data center around the world.
We also use Border Gateway Protocol (BGP) to regulate traffic flow throughout our points of presence within the global network, and forward clean traffic to our customers through a pre-established Generic Routing Encapsulation (GRE) tunnel.
When Imperva advertises its customers’ digital assets, it directs all data packets targeted to these assets to its own network. The Behemoth scrubs the traffic, filters incoming packets, and drops DDoS attack packets. The remaining verified packets travel to the customer through the GRE tunnel.
This is necessary because Imperva is the only entity advertising the customers’ digital assets online. If we attempted to send our clean data packets to our customers through the Internet, they would loop back around and return to our data center, to be re-scrubbed by Behemoth in an endless cycle. Our approach creates a robust, near-impermeable gateway that incoming traffic has to pass.
Learn more With Imperva Community
The Imperva Community is a great place to learn more about how to use Imperva cybersecurity technologies like DDoS protection, Cloud WAF, Advanced Bot Protection and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts.
Other Relevant DDoS Content
What Kind of Data Does Imperva Use to Generate Attack Signatures?
DDoS Attacks: How Imperva Mitigates Increasingly Powerful and Sophisticated Attacks
What Makes Imperva DDoS Protection More Secure Than Your ISP’s Generic Solution