How Incapsula Protects Your Site Against DDoS Attacks While Boosting Performance — Progressive Challenges, CDN, & Custom Software

How Incapsula Protects Your Site Against DDoS Attacks While Boosting Performance — Progressive Challenges, CDN, & Custom Software

No one is immune to the havoc that follows a Distributed-Denial-of-Service (DDoS) attack — that helplessness that you feel immediately after a hit as you watch your site go down. We’re all susceptible and anyone on the Web, from the 25-page mom-and-pops to the enterprise-scale properties, has a solid shot at experiencing one at some point in their site’s lifespan; moreover, your likelihood of being hit is only growing as this web weapon becomes increasingly inexpensive and easier to execute.

To combat the threat of DDoS assailants, website owners are smart to get out in front of it. They’re likely to put a security service provided by an ISP, web host, or third-party company out in front to defend against the attack. As these web assaults require less technical know-how, as the “hacktavists” get smarter about their methods of entry, and as Bitcoins allow the invaders to fund the attacks with total anonymity, you’d want more and more layers of protection, right?

A FEW INCAPSULA TEAM MEMBERS COLLABORATING

The team of Incapsula designs solutions to both protect your website against DDoS threats and speed up performance.

While arming their site to prepare to fend off potential DDoS threats, site owners often experience an additional hurdle: the more security you layer on top of your network, the more obstacles you place between your site and its visitors, including those you want coming in.

With added security can come degraded performance, so Incapsula does things differently.

Incapsula Secures and Accelerates Sites with DDoS Protection and a CDN

When that bad day rolls around for your site and you’re flooded with traffic fueled by DDoS-ers, Incapsula can shield you; however, they’re there for their customers on the good days too. By including a Content Delivery Network (CDN) in their offerings, they’re boosting the performance of their customers’ sites every day. “At Incapsula, we protect and secure and accelerate websites,” said Tim Matthews, VP of Marketing for Incapsula. “The cool thing is that our whole cloud service is built on top of a Content Delivery Network, so when you get on our service, not only are you protected against DDoS attacks but your site is going to be faster every day.”

“Progressive Challenges” to Weed Out the Bad Guys at the Web Layer

Tim assimilated working with Incapsula to putting a “bullet-proof door” in front of your site to “blunt” the attacks of incoming DDoS-ers. A common set of intruders at the web layer are bots: web crawlers scraping sites, infusing comment spam, et cetera. A common counter attack used by some anti-DDoS solutions is the use of a CAPTCHA: that random sequence of numbers and letters a website might prompt you to type out to prove your human-ness.

“We have a more advanced approach where we actually give transparent challenges to the bots behind the scenes, rather than relying on a CAPTCHA,” Tim shared. “For example, most bots can’t process JavaScript, but most browsers can, so we give a JavaScript challenge and if it doesn’t pass, we know it’s not a browser or a human.”

They call what Tim described progressive challenges: a series of checkpoints similar to “breaking into a castle,” and they’re the first step in judging whether a visitor is a bot or a non-malicious person. If the progressive challenge doesn’t eliminate the visitor, Incapsula evaluates the behavioral patterns, i.e., Does it look like a legit request?, and only in the rare event that they are still unsure about the bot or not-bot status do they present the CAPTCHA. All in all, this serial testing happens in under 100 milliseconds — rarely noticed by the end-user.

“That’s what really makes us different: These progressive challenges cause us to not confuse machines with humans,” said Robert Hamilton, Director of Product Marketing for Incapsula. “A lot of times other services will think that ALL your traffic is attack traffic and not let good guys in as well.” The ironic thing to note here is that often times site owners are discouraged when they first become protected against these threats, because they come to find that a good chunk of their web traffic was bot-based.

THE INCAPSULA TEAM MEETS IN AND OUT OF THE OFFICE

Incapsula’s progressive challenges are indicative of the innovative work this team does on a daily basis.

“We are able to separate out the good guys from the bad guys and continue to let the good guys in even while under attack and that’s a pretty unique capability of our service,” Robert said. “Once we’ve identified a certain IP address as malicious, we don’t really need to do those tests anymore; they have a reputation and this reputation can get broadcast throughout our network, so whether they try to attack Singapore or Tokyo we don’t need those progressive challenges again.” The “bullet-proof door” is effectively slammed in their non-human face. It’s like “crowdsourcing,” Tim added. “If one customer gets attacked with a bot we’ve never seen before and we figure it out, everybody around the world almost immediately benefits from that knowledge.”

“Behemoth” In-House Software for Caching and Patrolling the Network Layer

As part of their quest to speed up websites while securing them, Incapsula offers a CDN that will identify any and all cacheable content: static and dynamic — the latter being the kicker. If we could just throw Varnish in front of everything and serve up only static HTML files, we’d do it in a heartbeat, right? Barring that developer’s fantasy, dynamic content caching with Incapsula’s advanced custom rules and their homegrown software may be the next best thing.

Behemoth: a software with massive capacity for packet inspection and virtual traffic routing, is Incapsula’s secret sauce for both weeding out bad guys at the network layer and serving up dynamic content at high speeds. Using a series of whitelists and blacklists and checking packets via Behemoth, Incapsula’s network operations team of former military intel folks, security gurus, and network experts can identify attack traffic and “scrub it out,” Tim said. The Behemoth software sits on an Intel box, was built from scratch in house using mostly C, and is managed by Incapsula’s NetOpps ninjas.

Incapsula is Proud to Provide Increased Protection for an Increasing Threat

As of Q1 of 2016, Incapsula’s global network capacity has exceeded two terabits, according to Tim. They have 28 datacenters around the world and they’re primed to continue their network build-out. “We can virtually combine several datacenters together to make it look like one larger datacenter to get larger anti-DDoS capacity,” Tim said. These are called scrubbing centers: network hubs used to take the brunt of the blow from a DDoS attack. “For example, in Asia-Pacific we can combine Tokyo with Singapore with Hong Kong and that can become one big virtual scrubbing center,” he said. Tim told us part of the Incapsula network’s growth plan involves increasing the capacity of individual scrubbing centers, so as they “get bigger and bigger attacks, [they] can absorb them locally.”

Another added layer of defense that the Incapsula team is proud to offer their customers is IP protection. “Sometimes people want to protect not just their website but the underlying infrastructure,” Tim explained, e.g., email servers and various other network applications. A great example is gaming companies. Gaming servers often use proprietary protocols rather than relying on HTTP, so many web DDoS solutions are not compatible. Smaller gaming companies are left defenseless, so Incapsula figured out a way to “essentially protect any single IP address,” according to Tim. “We’re pretty excited about that,” he shared.

The Real Cost of DDoS — HINT: It’s More Than Your Traffic and Revenue

These days, it’s nearly impossible to run a business without being online. If your website becomes inaccessible due to DDoS foul play, you can’t reach your customers, they can’t reach you, and you can’t do eCommerce. Anyone can find themselves facing the threat of DDoS, but the perpetrators of the attack are not necessarily this nebulous dark force crashing down on your website. DDoS attacks may be sent by your company’s competitors. If you’re an organization, you may be targeted by antagonists to your site’s agenda (i.e., “hacktavists” making a point). These web assassins may be unleashed at the governmental level as well. DDoS is an evil but effective weapon that an array of bad guys have picked up.

Dealing with Service Providers Who No Longer Want to Host Your Site

Interestingly enough, Tim told us that in the hosting world, DDoS attack victims may also be forced to part with their hosting provider as a result of an attack. “Hosting providers don’t like people who get DDoS’d a lot,” Tim said. “They don’t want people on their service who are getting attacked and making the service sub-optimal for everybody else on the service.” It’s a classic manifestation of what’s known as the Noisy Neighbor Problem: when one or more users on a hosting service either monopolize or upset the hosting experience for their hosting neighbors.

Incapsula can mitigate the pains of this particular backlash (loss of your web host) with their reseller offerings. “Hosting companies can actually resell our services,” Tim said. By doing so, the hosts are turning a problem into a profit center. Robert chimed in, adding that this solution ameliorates the Noisy Neighbor Problem as well. “Instead of kicking a customer off, they can say, “Hey, we have something that will quiet down the noise and protect all the other neighbors;” it lets them not only keep business but increase revenue by selling additional service,” he said.

Dealing with the Fallout From Angry Customers Immediately After the Attack

A direct consequence of DDoS attacks that may or may not be obvious until you think about it is a disconnect from your customers. Ordinarily, this would not be good, but it’s especially not good when your customers are upset. “When a company gets hit, they’ll experience unavailability of their service and, typically, a lot of angry customers,” Tim said. “They’ve got to deal with both getting back online again and the fallout from their customers.”

INCAPSULA AT WORK AND AT PLAY

From helping you fend off DDoS threats to helping you deal with the attack aftermath, Incapsula has TONS of experience.

Step one is figure out a way to talk to your customers and let them know what’s going on. Have a plan in place beforehand, preferably: host your blog on a separate server or use Twitter or another independently-hosted social media platform to communicate.

Finale: The More It Hurts to Be Offline, The More You Need Incapsula

The bottom line is that DDoS defense — against the attacks themselves and the accompanying downfall to performance — is a very “horizontal need,” to use Tim’s words. “DDoS attacks have become a relatively inexpensive but really potent blunt-force instrument for hurting people online,” Tim said. “The more it hurts to be offline, the better fit you are for us.” Not all of us are security experts by any means. If this includes you, trust Incapsula and rest easy knowing your site is secure and speedy.

Ryan Frankel

Questions or Comments? Ask Ryan!

Ask a question and Ryan will respond to you. We strive to provide the best advice on the net and we are here to help you in any way we can.