Behemoth Guards Against DNS DDoS and Direct IP Range Attacks
Cloud-based security service Incapsula just released two new services designed to help protect again large scale DDoS attacks.
Incapsula's new DNS Protocol Protection provides a "hardened" DNS proxy service that shields the customers' own DNS servers to address what Incapsula has observed as a shift in how DDoS attacks are executed. By targeting DNS servers that resolve domain names to IP addresses, attackers can effectively take down websites and cloud applications by making them "unfindable" according to the company.
The Infrastructure Protection offering from Incapsula, the second new service from the company, protects networks from direct volumetric attacks on IP addresses or ranges, guarding against exploits on internal websites, email servers, FTP servers and other applications. The service utilizes the BGP protocol to dynamically reroute traffic through Incapsula's scrubbing network in the event of an attack, with cleansed traffic routed through a secure GRE tunnel back to the customer's infrastructure.
The underlying technology behind these new offerings is a new custom-built filtering hardware code named "Behemoth." Each appliance can process up to 170Gbps of traffic at line rate, performing deep packet inspection and filtering, tunneling, and routing. The new appliances are being deployed throughout Incapsula's worldwide network.
"Behemoth is at the core of our network expansion, geared towards protecting against Terabit scale DDoS attacks," said Gur Shatz, Incapsula CEO and Co-Founder. "We needed to build our own networking equipment because DDoS mitigation requires full programmability of the data-plane. Traditional network equipment and protocols such as Flowspec, Netflow and Openflow do not deliver this level of control."