© 2015 Imperva, Inc. All rights reserved.

Protect Your Assets with Single IP DDoS Protection

Shahar Ben-HadorCISO

Dvir ShapiraDirector, Product Management@imperva@Incapsula_com

© 2015 Imperva, Inc. All rights reserved. Confidential2

Agenda

• DDoS threat trends• Current solutions• IP Protection overview• How Imperva is using IP Protection• Lessons learned

© 2015 Imperva, Inc. All rights reserved.3

Speaker Bio for Dvir Shapira

• Background– BSc in physics (no idea why I did it…) and EE– Saw the bubble burst around me as a part-time startup

employee back at 2001– Held various roles at Applied Materials, CheckPoint, Incapsula

and a few startups.

• Director of product management• Email: dvir@incapsula.com

© 2015 Imperva, Inc. All rights reserved.4

Speaker Bio for Shahar Ben-Hador

• Background– BSc in Math and Computer Science– More than 7 years with Imperva– Held various roles at Imperva around Infrastructure and

Security

• CISO• Email: shaharb@imperva.com

© 2015 Imperva, Inc. All rights reserved.

DDoS Protection Today1

© 2015 Imperva, Inc. All rights reserved. Confidential6

© 2015 Imperva, Inc. All rights reserved. Confidential7

DDoS Propelling the Rise of Cyber Extortion

“Any organization can be hit by a DDoS attack” – Swiss Governmental Computer Emergency Response Team

• Armada Collective, DD4BC, others continue threatening attacks for Ransom

• Even governments are alerting organizations of the growing threat

• The need for comprehensive, upstream mitigation is urgent

© 2015 Imperva, Inc. All rights reserved. Confidential8

You may not be protected even if you have anti-DDoS

• Non-HTTP assets are still vulnerable

• An attack on an exposed server can bring down your entire infrastructure

• Protected HTTP servers can still suffer direct-to-origin attacks

• Public cloud servers can be vulnerable

© 2015 Imperva, Inc. All rights reserved. Confidential9

What are the alternatives?

• Use a different set of IPs

DDoS

LegitTraffic

• On demand BGP

• TCP/UDP proxy

• Single IP protection

© 2015 Imperva, Inc. All rights reserved. Confidential10

IP ProtectionDDoSLegit

Traffic

Incapsula Network

GRE Tunnel

Incapsula IP Address1.2.3.4

Customer Infrastructure

• Provides complete Infrastructure DDoS protection for single IP addresses

• Deploys as an always-on service for immediate detection and mitigation of DDoS attacks

• Enables origin protection for DNS redirection based services (e.g. CDNs)

© 2015 Imperva, Inc. All rights reserved.

Common Use Cases2

Confidential12

Customer Story (1/3)

We have constant DDoS attacks on three IPs in which we use proprietary protocols. Looked at four different vendors, none of them were able to provide a decent protection. Diego T | CTO, Online Poker site

No C-Class ranges, using proprietary protocol

Confidential13

BGP on-demand customer, requires always on

Customer Story (2/3)

We use on-demand BGP, but for one specific server we want to deploy an always on solution.John O | IT Director, video conferencing platform

Confidential14

Customer Story (3/3)

DDoS attacks on a few customers can affect the entire ISP operation. We need to identify the few targets and protect them, to keep our whole network from being burdened by attack.Tim W | Ops Manager, ISP

ISPs need to protect Specific IPs that are vulnerable

© 2015 Imperva, Inc. All rights reserved.

How it Works3

Confidential16 © 2016 Imperva, Inc. All rights reserved.

How it works

Customer Origin Server

1.1.1.1

Traffic is routed directly to the server

Confidential17 © 2016 Imperva, Inc. All rights reserved.

How it works

Customer Origin Server

1.1.1.1

Incapsula establishes a GRE tunnel between its CDN and the origin server

GRE Tunnel

Confidential18 © 2016 Imperva, Inc. All rights reserved.

How it works

Customer Origin Server

1.1.1.1

Incapsula assigns a unique IP to the customer

2.2.2.2 GRE Tunnel

Confidential19 © 2016 Imperva, Inc. All rights reserved.

How it works

Customer Origin Server

Customer changes the DNS record to point to the Incapsula allocated IP

2.2.2.2 GRE Tunnel

Confidential20 © 2016 Imperva, Inc. All rights reserved.

How it works

Customer Origin Server

All traffic is routed through the Incapsula global networkOnly clean traffic is passed to origin

2.2.2.2 GRE Tunnel

© 2015 Imperva, Inc. All rights reserved.

Safeguarding our Own House4

© 2015 Imperva, Inc. All rights reserved. Confidential22

Proof in the Pudding

• All IP ranges need to be protected

• Non-HTTP entry points usually weak links (e.g. VPN tunnels with customers, client server applications)

• We’re implementing on-demand Infrastructure Protection with IP Protection for all non-HTTP apps

• This approach provides full coverage for all assets

© 2015 Imperva, Inc. All rights reserved. Confidential23

Imperva Architecture

Cloud Based DDOS

and WAFProtection

(Incapsula)

Redundant EnterpriseDatabase Firewalls

Redundant Enterprise Web Application

Firewalls

Database Servers Network

Application Servers Network

Web Servers Network

RedundantISP

Connections

Redundant Enterprise Edge

Routers

Redundant Enterprise Firewalls,IPS,AV

Website Protection

Infrastructure Protection

24 © 2015 Imperva, Inc. All rights reserved.

Questions?

© 2015 Imperva, Inc. All rights reserved. Confidential25

Lessons Learned

• Organizations face growing risk of DDoS attacks for ransom

• Existing mitigation solutions may still have vulnerabilities that leave organizations exposed

• Always-on IP-level DDoS protection is the only way to completely secure your network infrastructure