Enabling Faster DDoS Mitigation for Cloud Assets

The cloud journey was considered a visionary approach less than a decade ago. Today, more than half of organizations rely on a cloud provider, and are planning to expand their portfolios across multiple cloud platforms, as part of their ongoing digital transformation. 

Is the so-called cloud promise a reality today? To some extent, yes. However, it’s also critical for any organization to plan and execute a flawless security strategy as part of its cloud migration

To complicate matters, while DDoS attack risks are simply unacceptable, we know that organizations face potential challenges when looking for DDoS protection from cloud vendors. Integrations can prove costly and there is a lot of variation in different providers’ time to mitigation, not to mention concerns with lack of control and insights. 

Our story began when several Imperva DDoS Protection customers reached out to us for a solution to protect specific cloud assets spread over various locations, cloud environments and IP addresses, from volumetric Layer 3 and 4 attacks. They were facing a challenge due to their cloud providers’ inability to support IP GRE tunneling. They needed a single, simple, integrated DDoS solution for cloud-based environments that could protect against ever-increasing attack volume and complexity with proven mitigation techniques.

The Importance of Fast DDoS Mitigation

Maybe you’ve been hit by a DDoS attack, or perhaps you’re one of the few who haven’t been attacked yet (though chances are you will be!). You know one thing for sure — any amount of downtime has a huge impact. Extended time to mitigation can end up costing your business hundreds of thousands of dollars in lost sales and reputation damage.

At Imperva, challenging ourselves is a core component of our credo, in order to deliver best-in-class security solutions protecting our customers and their customers. And while we already offered what we believed to be the fastest, no-exclusions guarantee of DDoS mitigation (10 seconds), we pushed our limits further. As such, we introduced what we believe is an industry-first DDoS mitigation SLA which took end-to-end mitigation time down to just 3 seconds.

Yes, you read it right, only 3 seconds to get rid of any volumetric L3/4 DDoS attack, a guarantee even for attacks destined for our hall of fame. And the great thing is that you don’t have to lift a finger. Our 44-and-growing DDoS scrubbing centers, all powered by our automated software-defined network operations center (SD-NOC) technology, take care of everything for you.

But remember — today, it’s all about cloud assets. That’s why we’ve expanded our DDoS SLA beyond websites, Domain Name Servers (DNS) and entire Networks, to any cloud-hosted environment, as they need the same level of DDoS protection. 

Imperva DDoS Protection for Individual IPs

It’s no secret: DDoS Protection for individual IPs is critical if you are migrating workloads to the cloud.

The good news is you can begin to protect your single or multi-cloud assets immediately. Our self-service onboarding is so simple that it only requires 2 steps:

  1. Register your public IP, or domain name
  2. Make a simple DNS configuration update and you’re done 🙂

Enabling Faster DDoS Mitigation for Cloud Assets

You can protect your cloud assets from DDoS attacks in just a few clicks. What happens next is even more important, as you get full visibility of traffic flows. Our network design — based on Anycast Edge IPs — allows us to provide a complete set of network analytics insights from our cloud security console, such as:Enabling Faster DDoS Mitigation for Cloud Assets

Advanced traffic analysis and full visibility into DDoS attacks is now within your reach.

How It Works

We’ll use the common control and data planes, split in order to explain the way our DDoS Protection for Individual IPs works:

Control plane:

During the onboarding stage, Imperva resolves the domain name to its associated IPs and CNAME. Once your public IPs are registered, a public Anycast Edge IP from Imperva’s global network is allocated to you, which will be from now on the internet-facing IP of your cloud service.

At the same time, each scrubbing center is configured with the optimal, dynamically-updated Origin IP resolving with active monitoring. This way, traffic is forwarded only to active resolved IPs.

Enabling Faster DDoS Mitigation for Cloud Assets Data plane:

Any traffic directed towards your cloud assets will reach one of the scrubbing centers, where malicious traffic is automatically blocked by our in-house developed Behemoth technology.

On the other hand, legitimate traffic is proxied to one of the available app origin servers with load balancing capability based on a round-robin algorithm, with user-to-host persistence support. Egress traffic will follow the exact opposite path: the app origin servers will respond to the very same proxy server, which will proxy it towards the client.

Cloud and Beyond

From now on, you don’t need to worry about DDoS attacks on your cloud assets. Just contact us to immediately get the fastest DDoS protection. 

And don’t forget our credo: our vision is to lead the world’s fight against cybercrime on your behalf. Imperva DDoS Protection is just one part of our Imperva Application Security portfolio, an integrated single stack of solutions that provide comprehensive protection against a wide range of cybersecurity threats and bring defense-in-depth to a new level.

And stay tuned for more DDoS innovation!

The post Enabling Faster DDoS Mitigation for Cloud Assets appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Oleg Toubenshlak. Read the original post at:

Secure Coding Practices