Introduction: DDoS Protection for Networks
- Last UpdatedJan 21, 2025
- 5 minute read
Imperva’s DDoS Protection for Networks allows organizations to protect entire networks and subnets from network (Layer 3 and 4) DDoS attacks.
Overview
DDoS Protection for Networks can be used to protect any online asset such as websites, DNS servers, SMTP servers and any other IP based application. This service leverages Imperva’s multi-terabit network capacity and packet processing capabilities to absorb and mitigate the largest and most sophisticated DDoS attacks.
DDoS Protection for Networks can be deployed as an always-on or on-demand solution, and can be combined with all Imperva Cloud Application Security services for extending protection and monitoring capabilities.
-
Always-on: You're always advertising your protected network to Imperva and your ingress traffic is always tunneled through the Imperva network. Imperva must be the best path to the Internet for your network traffic. There are several ways to do this:
- Advertise your BGP routes to an upstream ISP with a longer
AS-PATH
by prepending their ASN three times. - Equalize or lower local preference in the ISP network for customer-learned routes versus peer-learned routes.
- Advertise a summary route to the ISP and a specific route to Imperva.
- Advertise your BGP routes to an upstream ISP with a longer
-
On-demand: Your ingress traffic is tunneled through the Imperva network only during attack time.
Benefits
- Layer 3 and 4 DDoS protection
for IP ranges and subnets hosting any IP based application
- Terabit DDoS scrubbing capabilities
- Attack monitoring and mitigation backed up by 24x7 NOC and SOC teams
- SLA for DDoS mitigation performance
- Real-time dashboard for traffic monitoring and event analysis
How Does DDoS Protection for Networks Work?
Imperva DDoS Protection for Networks allows organizations to tunnel all ingress traffic (traffic from the Internet to the origin network) through the Imperva network. The organization's edge routers use the Border Gateway Protocol (BGP) to announce subnets and IP ranges to be advertised by Imperva, forcing all Internet routes pointing at their data center to point at Imperva instead. DDoS Protection for Networks uses Generic Routing Encapsulation (GRE) tunneling to forward traffic to the origin network after the traffic has been scrubbed from any DDoS attack.
The Behemoth
At the core of Imperva’s DDoS Protection for Networks service is its proprietary DDoS scrubbing appliance named Behemoth. The Behemoth performs all Layer 3 and Layer 4 DDoS scrubbing and then tunnels clean traffic over a GRE tunnel to the origin network. Each of Imperva’s data centers is equipped with one or more Behemoth appliances. In addition to scrubbing any DDoS attack, Behemoth provides packet level visibility and packet flow control to our 24x7 Operations Center teams.
Traffic Flow
The Border Gateway Protocol (BGP) is used to control the traffic flow and route traffic through the Imperva network. In order to route traffic sent to the origin network through Imperva, organizations configure their routers to announce that their IP ranges are to be advertised by the Imperva routers. This is done by establishing BGP peering between the Imperva router and the organization’s routers.
Once Imperva starts advertising the customer’s IP ranges, all Internet routes for the origin network point at the Imperva network. Ingress traffic sent to the protected IP ranges is automatically routed to Imperva where DDoS scrubbing takes place. After the traffic has been scrubbed, Imperva forwards clean traffic to the origin network over a pre-established GRE tunnel.
DDoS Protection for Networks uses an asymmetric channel in which ingress traffic is routed through Imperva, while egress traffic (traffic from the origin network to the Internet) is routed through the organization’s ISP.
Software-defined network range advertisement
Imperva’s software-defined network range advertisement announces customer IP ranges from the following locations:
- the Imperva PoPs to which the customer data center is connected
- all Imperva PoPs in the region where the customer data center is located
- Imperva high-capacity regional PoPs outside of the region
This method provides the following benefits:
- When a DDoS attack traverses transatlantic cables, ISPs may null route the attacked IP in order to avoid congestion of those cables. By advertising the IP ranges from PoPs in each region, Imperva mitigates the DDoS attack in the continent in which it started.
- More PoPs participate in the mitigation, enabling Imperva to handle larger DDoS attacks without human intervention.
- Imperva PoPs are connected through high-quality internet connections, resulting in better user-experience.
During an Attack
DDoS Protection for Networks can be deployed as an always-on or an on-demand solution. Organizations choosing to deploy DDoS Protection for Networks as an always-on solution route their traffic through Imperva at all times. Organizations choosing to deploy DDoS Protection for Networks as an on-demand solution route their traffic through Imperva only when they are under a DDoS attack.
DDoS Protection for Networks reacts to DDoS attacks at a micro-second scale by utilizing multiple mechanisms, such as detecting anomalies in traffic patterns and identifying known attack patterns. Attack mitigation engines are dynamically adjusted according to the attack severity as well as the state of the origin network. After traffic has been scrubbed, clean traffic is forwarded to the origin network over a GRE tunnel.
DDoS Protection for Networks is backed up by 24x7 NOC and SOC teams that monitor attacks, adjust detection and mitigation configuration, and respond to customer requests and enquiries.
Why Does Imperva Use a GRE Tunnel?
Imperva uses a GRE tunnel to route clean traffic to the origin (and also to establish BGP peering for on-demand DDoS Protection for Networks deployments).
When Imperva advertises the customer’s IPs or IP ranges, all packets targeted to these IPs/ranges are directed to the Imperva network. The Imperva Behemoth appliances scrub the traffic, filtering incoming packets and dropping any DDoS attack packets. The remaining “legitimate” packets are passed on to the customer according to their destination IP through the GRE tunnel.
The GRE tunnel is the only way that the packets can reach the customer at this point, because Imperva is the only entity advertising the customer’s IPs/ranges. This means that even if Imperva were to send the packets back to the Internet, they would return to Imperva again.
SIEM integration
Send DDoS event logs to your preferred SIEM solution. For details, see Near Real-Time SIEM Log Integration.