Distributed denial of service (DDoS) attacks can cripple an organization, a network or even an entire country. DDoS attacks make up a considerable percentage of security threats, and recent attacks have been larger and more complex than ever.
While there are some things security teams can do to lessen the impact of DDoS attacks, the growing sophistication of such attacks has sparked strong growth in the market for DDoS solutions. Research firm IDC expects the DDoS prevention market to grow 20 percent each year through 2021.
The vendors listed here scored well in the Forrester DDoS Wave or the Quadrant Knowledge Solutions DDoS report – or both. In addition to handling traditional DDoS attacks, they incorporate cloud, mobile and IoT features. Each vendor summary links to a detailed analysis, including target markets and use cases, features, metrics, intelligence, use of agents, security certifications, product delivery (cloud, software or hardware) and pricing. There’s also a chart at the bottom of this article comparing the solutions.
Core DDoS solution features include detection of the early stages of an attack, the scale to absorb the volume of traffic, and the ability to mitigate the source of the attack. This can be done via static or custom rules, or through an evolving set of defensive actions as the attack morphs toward additional targets.
- Vendor comparison chart
- Akamai DDoS mitigation
- Verisign DDoS Protection Services
- Radware DDoS Protection
- Cloudflare DDoS Protection
- Arbor Networks APS
- DOSarrest DDoS Protection
- F5 DDoS Protection
- Neustar SiteProtect NG
- Imperva Incapsula
Akamai’s DDoS mitigation solution can include CDN-based, DDoS scrubbing, and DNS components, depending on each customer’s requirements. Akamai mitigates DNS-based DDoS attacks (e.g., DNS amplification), as well as protecting DNS services from DDoS attacks. It incorporates automated rate controls, custom web application firewall (WAF) rules, monitoring tools, traffic profiles and workflows that avoid unnecessary mitigation actions.
See our in-depth look at Akamai DDoS Mitigation.
When Verisign’s monitors detect a DDoS attack, support personnel immediately notify customers about it and recommend a mitigation strategy. In addition to monitoring, the company offers on-demand mitigation. It also has an OpenHybrid API that enables organizations to use their existing security systems to send threat information to Verisign’s cloud-based service for possible mitigation.
See our in-depth look at Verisign DDoS Protection Services.
Radware DDoS protection solutions and web application security offerings provide integrated application and network security. Its Attack Mitigation Solution is a hybrid DDoS protection solution that integrates always-on detection and mitigation with cloud-based volumetric DDoS attack prevention, scrubbing, and 24×7 cyberattack and DDoS security.
See our in-depth look at Radware DDoS Protection.
Cloudflare’s cloud-based DDoS protection system can deal with layer 7 attacks as well as layer 3 and layer 4 attacks. Instead of using dedicated anti-DDoS hardware, every machine in its global network takes part in DDoS mitigation. It has over 15 Tbps of capacity.
See our in-depth look at Cloudflare DDoS Protection.
Arbor Networks utilizes hybrid, multi-layer defenses to protect against all types of DDoS threats. On-premises protection is delivered by Arbor’s APS, which addresses application-layer and TCP state-exhaustion attacks. It incorporates detection and mitigation technology for fast, automatic blocking of attacks.
See our in-depth look at Arbor Networks APS.
Nexusguard’s solution mitigates all types of DDoS attacks and cyberthreats. This encompasses protection against level 3 to level 7 attacks, including DDoS attacks, brute force, connection flood, ping of death, Smurf, SSL flood, zero-day attacks and more.
See our in-depth look at Nexusgard.
DOSarrest focuses on HTTP/HTTPs and protecting websites, APIs and mobile application servers on TCP ports 80 and 443. It offers cloud-based security that includes DDoS protection, a web application firewall, a CDN for enhanced performance, website monitoring and support. All are integrated using its big data analytics engine.
See our in-depth look at DOSarrest.
F5 protects against DDoS traffic targeting the cloud, networks and applications, as well as DNS attacks. It can examine network layers 3-7. F5’s DDoS Hybrid Defender addresses blended network attacks and sophisticated application attacks, while enabling SSL decryption, anti-bot capabilities and advanced detection.
See our in-depth look at F5 DDoS Protection.
Neustar SiteProtect NG is a DDoS protection service with cloud-based and hybrid options for scrubbing malicious traffic. It can put countermeasures in place to limit exposure, protect a site’s uptime and provide automated mitigation across multiple attack vectors.
See our in-depth look at Neustar SiteProtect NG.
Imperva Incapsula takes a multi-tier approach to blocking DDoS traffic. It filters traffic through a web application firewall, a DDoS rules engine and a series of progressive challenges that are invisible to legitimate traffic.
See our in-depth look at Imperva Incapsula.
Top DDoS Protection Vendors
|Akamai||Financial services, commerce, broadcasting, publishing, public sector,high-tech, SaaS,manufacturing, healthcare,energy and gaming||Seven scrubbing centers, 3.5 Tbps of network capacity
(8 Tbps by Ql 2018), 150 SOC staff, and 700 security experts
|Akamai employs automation in CDN- based and DNS components and DDoS scrubbing||Cloud||Akamai DDoS pricing is “all in” – no additional fees based on attack sizes or number of attacks.|
|Verisign||Enterprises||Network capacity of 1.7 TB per second||Initiation methods include on demand, Verisign initiated, customer activated, and always on.||Cloud||Not disclosed|
eCommerce and other verticals
|SOCs and scrubbing centers in North America, Europe, Africa, Asia and Australia||Traffic automatically routed through Radware’s cloud security POPs with no on-premises device required||Cloud and on-premises||Not disclosed|
|Cloudflare||Most verticals||The largest attack Cloudflare has seen is 600 Gbps,but can handle more. Cloudflare mitigates a DDoS attack every 3 minutes.||Automatically recognizes and
mitigates ooos attacks (L3/L4 and L7). Learns the behavior of IP addresses and bots and automatically filters bad traffic
|Cloud||Free for personal websites, $20 per
month per doma in for the professional version,and $200 for the business version
|Arbor Networks||Enterprises, government, financial services and SMBs||Network capacity of 1.14 Tbps,and a
scrubbing capacity of 1.14 Tbps
|Can act on volumetric,
TCP, and application layer DDoS attacks. uses ATLAS global
threat intelligence, and reputation data from ASERT
|On-premises appliance,VM,or AWS instance||Not disclosed|
|Nexusguard||Financial services, eCommerce, government, entertainment and service providers||Globally distributed scrubbing network||Acceleration and caching identifies frequently accessed content and compares it with cache||Cloud||Not disclosed|
|DOSarrest||Government, ecommerce, education,health,
financial, gaming and media industries
|Can deal with multiple attacks simultaneously||Machine learning used in attack and anomaly detection||Cloud||Starting from
|FS||Enterprises, financial services, and SMBs||Network capacity of 1TB per second,a
scrubbing capacity of 2 TB per second and sub-second
|Immediate protection at line rate against known bad actors
and sharing that intelligence between
on-premises deployments and cloud
|Cloud,appliance and hybrid||No pricing data avaialble|
|Neustar||Financial services. Technology,large ecommerce and retail, utilities and gaming||Can defend attacks greater than 4 Tbps and soon 8 Tbps.
Average time to mitigate is under 90 secs
|Neustar’s SOC utilizes threat analytics based on its ONS footprint plus external threat feeds||Cloud-based with on- premises hardware options||Pricing based on level of risk|
|lmperva lncapsula||Enterprise, government and healthcare||Network capacity of
3.0 TB per second, and a scrubbing capacity of 3.0 TB
|Prevents direct-to-IP DDoS attacks by hiding the IP of
|Physical appliances, and a virtual firewall compatible with Microsoft Azure||Business plan sells for $299 per site per month. Professional plans sell for $59|