Key Elements for DDoS Detection, Mitigation and Analysis

Given today’s volatile DDoS threat landscape with attacks ranging from massive volumetric assaults to sophisticated and persistent application level threats, comprehensive protection is a must for online businesses. But what are the most important considerations for evaluating potential solutions? As we’ve been in the business of cybersecurity and DDoS detection and mitigation for 18 years, we can confidently say that it comes down to key elements like SLA for mitigation, network setup, and operational mitigation.

Gartner’s Take on DDoS Protection

Recently, Gartner published the Solution Comparison for DDoS Cloud Scrubbing Centers report, authored by Thomas Lintemuth, Patrick Hevesi and Sushil Aryal. The report offers a look at DDoS cloud scrubbing centers in the market, providing an analysis based on 23 assessment criterion. With a Gartner subscription, the report is available for you to view here. Notably, Imperva received a ‘High’ rating for the combined categories of SLA for Mitigation, Network Setup, Operational mitigation, Compliance, Technical Operation, Geodistribution and Integration categories. In this blog post we will review these categories and how we believe Imperva fulfills them.

SLA for Mitigation – True Peace of Mind

At the core of any DDoS protection solution is the SLA for time to mitigation (TTM). Even seconds of downtime have a huge impact, and extended time to mitigation can end up costing your business.

According to ITIC, 98% of large enterprises with more than 1000 employees say that on average, a single hour of downtime per year costs their company over $100,000. And almost half of SMBs estimate the same costs in terms of lost revenue, end user productivity and remedial action by IT administrators. The number reaches $1 million to over $5 million for 40% of enterprise organizations, frequently topping the $5 Million (USD) mark within the Banking/Finance, Food, Energy, Government, Healthcare, Manufacturing, Media & Communications, Retail, Transportation and Utilities verticals.

But with always-on protection, our 3-second time to mitigation guarantee – from when the first DDoS attack packet hits, all the way to full mitigation – offers you the fastest and most comprehensive SLA. No matter what kind of attack, or the size, every DDoS threat is mitigated in 3 seconds or less, without affecting the flow of legitimate traffic.

Behind this SLA is our long-time experience and development around technical operation excellence.

Technical Operation

For volumetric/protocol attacks (L3/4), we have developed our own mitigation technology (Behemoth) which is deployed at each and every single Imperva point of presence (PoP). Your traffic is initially profiled via machine learning to define the relevant DDoS security policies, which are constantly updated based on behavioral patterns variation. This is combined with our threat research algorithms and used as part of the multi-stage real-time mitigation process to address suspicious sources, contents, IPs, and traffic volumes per source location, traffic destinations, protocols and/or services. Identification and mitigation of attacks happens almost instantly (often <1 sec) with accuracy and no-intervention needed from your end.

For applicative attacks (L7), we enrich these mechanisms via our Cloud WAF technology included in our end-to-end security stack, with client classification, reputation intelligence, challenges, signatures and automated security rules.

Our global network mesh topology enables attacks on our customers’ ranges to be scrubbed closer to the attack origin. This eliminates the need for the traffic to travel over the ISP backbone to the PoP in which a customer is connected to us, and combats the ISP in the middle null routing the range. And, in an idle state, clean traffic flows over quality pipes for optimal capacity and performance. This network topology is actually what is required for our new SD-NOC functionality, which allows for fully-automated tuning to enable large-scale deployments.


We’re continuously working in cooperation with external DDoS testing companies such as Redwolf and NimbusDDoS as part of customers’ validation of our DDoS protection solutions. Our commitment to actually delivering on the level of service we promise and providing comprehensive protection against different types of attack scenarios is a huge focus. In fact, we find many clients come to us after the DDoS protection they had in place previously did not work.

Operational Simplicity

As a critical component for ensuring business continuity, DDoS protection shouldn’t be cumbersome to implement and operate. This is why we have designed our solution to provide operational simplicity for our customers from the beginning.

Network Setup

The DDoS protection onboarding is all about redirecting the traffic to Imperva so it can be protected. It can be done as an always-on operation (traffic flows continuously to Imperva), or in the case of protection of data centers it can also be on-demand, meaning only when you’re under attack. The mitigation can be triggered automatically or by manual approval.

A wide range of connectivity options is also key for a smooth adaptation to your own topology. For protection of entire data centers, we allow tunnels or direct connection between your location and Imperva’s network, and routing via BGP (border gateway protocol). In the case of individual IPs, TCP proxy and tunnels are available and we propose a self-onboarding guided process. For other assets, this is mainly done via a simple DNS record update.

Geographic Distribution

In order to achieve optimal connectivity, it’s important to provide comprehensive geographical coverage. Our global network consists of 44 (and growing) PoPsall DDoS scrubbing centers – across all continents (North America, South America, Europe, Africa, Asia, and Australia). And we have a wide range of direct peering agreements and Tier 1 transit providers, so you can benefit from optimal latency for your service regardless of the locations of your data centers and/or cloud assets.

Operational Mitigation

DDoS protection is all about very rapidly analyzing, identifying and mitigating malicious traffic. The traffic information is the key element here, and as for the network connectivity options, it’s important to have flexibility of choice for accessing it.

In an always-on scenario, the traffic continuously flowing is sampled and analyzed in real time at the Behemoth level when entering each of our PoPs, while for the on-demand operation we can integrate with and collect instantly any standard traffic flow exports such as netFlow, sFlow, jFlow, or IPFIX generated by routers or external services in your environment.

The traffic information is not only purposed at attack detection but also for providing granular traffic analytics visibility. As part of our built-in technology, we have developed a real time statistics platform to provide detailed information on top traffic patterns for services – the unique combination of destination port and IP address so you don’t need an additional 3rd party solution with its associated costs to have an end-to-end DDoS operation. Currently, there is a whole host of information, like packet size and connection rates, but perhaps best of all, we have the flexibility in-house to add more “widgets” over time. As our customers request more information, we are able to address these requests quite easily and rather quickly. As we know, the right kind of analytics can also provide the much-needed bigger picture when it comes to DDoS smokescreens and underlying attacks.


We’d be remiss not to also mention the importance of native API functionality. Native integration with SIEM platforms, for example, allows capture, retention, and delivery of security information and events in real time to your SIEM application of choice (e.g. AlienVault USM or Splunk). Imperva offers turnkey integration with leading SIEM solutions which allows our customers to easily integrate the security data provided by our products into their SIEM platform, where it can be readily accessed and viewed in a broader context.

Final Thoughts

When it comes to an SLA for DDoS mitigation time, you shouldn’t settle for protection from DDoS attacks without a comprehensively stringent guarantee. But as you can see, the actual process of traffic direction for analysis and the potential for real-time traffic visibility are also incredibly important to understand and examine when selecting your DDoS protection vendor.

Learn more about Imperva DDoS Protection here, and contact us anytime to get connected with a security expert.

*Gartner “Solution Comparison for DDoS Cloud Scrubbing Centers,” Thomas Lintemuth, Patrick Hevesi, Sushil Aryal, 16 April 2020

The post Key Elements for DDoS Detection, Mitigation and Analysis appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Kim Lambert. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)