Distributed denial of service (DDoS) attacks can cripple an organization, a network, or even an entire country, and they show no sign of slowing down.
While there are some things security teams can do to prepare for DDoS attacks and even lessen the impact of attacks in progress, the growing sophistication of such attacks has sparked strong growth in the market for DDoS solutions and services.
Most of the vendors listed here scored well in the Forrester DDoS Wave. In addition to handling traditional DDoS attacks, they incorporate cloud, mobile and IoT features, as well as a number of advanced features and services.
Akamai offers three purpose-built cloud solutions to provide end-to-end DDoS defense for organizations. The combination of Prolexic, Edge DNS, and App & API Protector would be recommended for the highest quality of DDoS mitigation to keep applications, data centers, and internet-facing infrastructure (public or private) protected. Effective mitigation techniques are available for all classes of application-layer DDoS/DoS attacks, including those designed to exhaust resources, those which exploit vulnerabilities that can cause availability issues (such as buffer overflows), those which exploit flaws in application business logic, compromise API infrastructure, and attacks performed by bots.
- Akamai’s Prolexic global security operations centers (SOCCs) provide fully managed DDoS protection, backed by industry-leading service level agreements and support. It combines mitigation with Akamai’s security operations centers to stop attacks across all ports and protocols before they become business-impacting events.
- Edge DNS is a DNS service that moves DNS resolution from on premises or data centers to the Akamai Intelligent Edge. It is architected for nonstop DNS availability and high performance, even across the largest DDoS attacks. It can be deployed as a primary or secondary solution with optional DNSSEC support to protect against DNS forgery and manipulation.
- Akamai also offers extremely robust protection against DDoS attacks at the application layer via its WAAP solution known as App & API Protector.
- Prolexic offers over 10+ Tbps of dedicated DDoS scrubbing capability to mitigate attacks instantly via its zero-second SLA.
- Over 225+ Akamai SOCC frontline responders that act as an extension of a customer’s incident response team to balance automated detection and response with human engagement.
- Custom runbook/tabletop attack drills are provided to optimize incident response and maintain operational readiness.
As of this writing, Akamai has not made its DDoS protection pricing available on its website. However, interested buyers have access to a 60-day free trial of their Edge DNS solution.
Imperva DDoS Protection can deal with any type of asset with a 3-second time to mitigation for any type of attack. Onboarding is said to be easy and fast, while the operation is simplified with out-of-the box policies and self-adaptive tuning capabilities. Visibility and reporting are augmented by Imperva Attack Analytics. This approach provides a holistic view of all attack types and layers, and correlates these to accelerate the investigation process while reducing alert fatigue. Imperva works across a range of industries, including: eCommerce, energy, financial services, gaming, healthcare, manufacturing and technology.
- Protects websites, networks, DNS and individual IPs
- Stops Layer 3, 4 and 7 attacks
- Capacity of 9 Tbps, 65 GPPs
- 24×7 Support and SOC with global coverage
- A single stack architecture reduces latency and results in fast remediation of DDoS attacks and other web application threats
- Each of the 50 points of presence (PoPs) within the Imperva global network runs all security services (DDoS, WAF, API security, bot management)
- Imperva provides a 3-second mitigation SLA for any DDoS attack, regardless of type, size or duration, without disrupting legitimate traffic
- Delivers real-time visibility into DDoS threats with reporting and attack correlation through Imperva Attack Analytics or a SIEM integration
- Self-adaptive security policies, self-service configuration and Terraform and API support
As of this writing, Imperva does not make its DDoS protection pricing available on its website. However, interested buyers have access to a free trial.
Radware offers DDoS protection across any infrastructure implementation for the public cloud, the enterprise, and specifically for service providers. It secures the data center, private cloud, public cloud and 5G infrastructure using a solution that is agnostic to the environment and was designed to help service providers protect large-scale networks.
- Radware’s attack mitigation architecture is flexible and extensible
- Can be tailored to customers such as telecom and cloud operators
- Wide security coverage with automated zero-day DDoS attack protection
- Offers hybrid, always-on and on-demand cloud DDoS service deployment options
- Cloud SSL-attack protection that maintains user data confidentiality
- Single pane of glass with unified portal and fully managed service by Radware’s Emergency Response Team
- Also offers web application security for integrated application and network security
- Combines always-on detection and mitigation with cloud-based volumetric DDoS attack prevention, scrubbing, and 24×7 cyber attack and DDoS security
As of this writing, Radware has not made its DDoS protection pricing available on its website.
Cloudflare’s cloud-based DDoS protection system can deal with layer 7 attacks as well as layer 3 and layer 4 attacks. Instead of using dedicated anti-DDoS hardware, every machine in its global network takes part in DDoS mitigation. Its DDoS protection secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.
- Cloudflare’s 100 Tbps network blocks an average of 76 billion threats per day, including some of the largest DDoS attacks in history
- Its unmetered, always-on DDoS protection for web assets (HTTP/HTTPs) is backed by intelligence harnessed from Cloudflare’s global network
- Works in tandem with Cloudflare’s cloud web application firewall (WAF), Bot Management, and other L3/4 security services to protect assets from cyber threats
- Cloudflare Spectrum is a reverse proxy service that provides DDoS protection for any application (not just the web), such as FTP, SSH, VoIP, gaming, or any application running over a TCP/UDP protocol, and comes with built-in load balancing and traffic acceleration for L4 traffic
- Cloudflare Magic Transit provides BGP-based DDoS protection for network infrastructure, either in always-on or on-demand deployment modes
- Data centers in all 250 cities across 100 countries announce customer subnets to ingest network traffic and mitigate threats close to the source of attack
- Centralized and decentralized mitigation systems work in concert to identify and mitigate most DDoS attacks in under 3 seconds
- Preconfigured static rules are deployed in less than 1 second
- Built-in analytics give insights into traffic patterns, threats observed (and blocked) from the dashboard or via the Cloudflare GraphQL API
- Can be integrated with third-party SIEMs
As of this writing, Cloudflare has not made its DDoS protection pricing available on its website.
Neustar UltraDDoS Protect offers 12+ Tbps of DDoS mitigation and a global dedicated data scrubbing network to help maintain an online presence, reduce the threat of theft, and protect the bottom line. Neustar offers on-premises hardware to stop smaller attacks instantly, as well as the UltraDDos Protect cloud for when attack volume and complexity explode.
- Automation that moves attacks into mitigation quickly
- Always ready options for DNS, BGP, and hybrid configurations
- Carrier-class DDoS mitigation that includes a massive network of dedicated scrubbing capacity
- OSI Layer 3, Layer 4, Layer 7 and IPv6 capable
- Globally positioned scrubbing infrastructure
- Harnesses multiple DDoS mitigation vendor technologies including Arbor, Cisco, Citrix, Juniper, HP, Neustar
- Multiple Tier 1 internet network providers
- Offers on-premises hardware and cloud-based protection
- Neustar can secure VPN connections via VPN Protect
- Can connect to 61 global data centers for traffic control and increased security
As of this writing, Neustar has not made its DDoS protection pricing publicly available on its website.
To stop sophisticated DDoS attacks, NetScout offers a portfolio of DDoS attack protection products and services that enable organizations to customize a solution, either hosted in the cloud and on premises. Hybrid stateless, on-premises and cloud protection can stop today’s high-volume attacks, which often exceed 600GB/sec, as well as stealthy application-layer attacks against stateful infrastructure devices, such as firewalls, IPSs, and ADCs.
- Located on premises, the NetScout Arbor Edge Defense (AED) is an in-line, always-on product that can automatically detect and stop all types of DDoS attacks – especially low and slow application-layer attacks
- Placed on the network edge between the router and network firewall to provide best-of-breed DDoS protection, AED screens incoming and outgoing traffic using stateless packet processing technology
- Can easily scale and block in bulk inbound DDoS attacks and indicators of compromise
- Its Cloud Signaling capability automatically routes traffic to one of 14 scrubbing centers for analysis and mitigation to stop the attack within minutes
- The ATLAS Security Engineering and Response Team (ASERT) provides real-time attack information that enables it to automatically block up to 90% of DDoS attack traffic before it starts inspecting the first attack packet
- Suite of automated countermeasures that identify and block more complex attacks at the network or application layers
- Stops threats such as scanning, brute force password attempts, and known Indicators of Compromise (IoCs)
- Blocks outbound traffic from compromised internal device communications with known bad sites (e.g. attacker command & control infrastructure)
As of this writing, NetScout has not made its DDoS protection pricing available on its website.
Ribbon offers a suite of core Session Border Controllers with advanced DDoS detection and mitigation capabilities. It provides DDoS detection and mitigation through configuration and dynamic adaptation at scale, with little to no impact on traffic throughput or packet processing.
- ACL policing applies access level control to allow traffic from trusted pre-configured IP addresses
- IP address learning: When IP addresses used by valid peers/endpoints are not known prior or may change dynamically, peers are confirmed as trusted only after receipt of specific valid SIP requests
- Media packet policing accepts media packets only if they correspond to a session negotiated via SIP/SDP signaling
- Media address learning: If a peer media address advertised in SIP/SDP does not match the actual source address of the RTP packets, it is possible to learn the peer media address to perform policing of subsequent packets
- Priority aware packet policing: rate limit SIP signaling packets on a microflow basis and give higher priority to packets from authenticated sources than those from unknown sources to increase the likelihood that desired traffic gets let through while malicious traffic is stopped
- Application-level call admission control (CAC) to rate limit traffic on a peer/IP trunk/IP trunk group level and can also be provided to limit bandwidth usage
As of this writing, Ribbon has not made its DDoS protection pricing available on its website.
Amazon Web Services
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. It defends against the most common, frequently occurring network and transport layer attacks that target web sites or applications. It provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
- No need to engage AWS Support to benefit from DDoS protection
- All AWS customers benefit from the automatic protections of AWS Shield Standard at no additional charge to defend against most of the common, frequently occurring network and transport layer DDoS attacks
- Using AWS Shield Standard with Amazon CloudFront and Amazon Route 53 provides comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks
- For higher levels of protection against attacks targeting applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, the company offers AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against sophisticated and large DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall.
- AWS Shield Advanced offers 24×7 access to the AWS Shield Response Team (SRT) and protection against DDoS related spikes in Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges.
AWS Shield comes in two subscription tiers: Standard and Advanced. AWS Shield Standard has no monthly fee.
AWS Shield Advanced offers its features for $3,000 per organization per month. Amazon requires AWS Shield Advanced subscribers to commit for a minimum of 1 year when selecting this subscription tier.
GCore provides both web application and server-level DDoS protection services with an edge cloud infrastructure. These services can protect against up to three layers of attack, most commonly the network (L3) and transport (L4) layers. Real-time bot protection and a next-generation firewall (NGFW) are also part of its offering. Interested buyers can also contact GCore to develop custom features suited for their business’s needs.
- Real-time bot protection by blocking unwanted bot traffic directed toward your website and API
- Over 140 points of presence (PoPs) across 5 continents
- Supports HTTP/2, IPv6, and web sockets
- Focuses on blocking sessions instead of individual IP addresses
- Can provide load balancing options including Round Robin, Weighted Round Robin, and IP hash
- Can be packaged with other GCore offerings, including an all-in-one streaming platform and global hosting
GCore offers its web application DNS services at 3 pricing tiers. Free is offered at no cost but with limited features. Pro provides more features at a cost of $2.95 per month. Enterprise provides the most number of features and has a minimum cost of $295 per month.
Both Pro and Enterprise also charge request fees after a certain number of requests. Pro begins charging $.20 per million requests after the first 10 million requests. Enterprise charges $.16 per million requests after the first 1 billion requests.
For server protection, GCore’s three pricing tiers are a little different. The Start tier charges $2.60 per month for L3 and L4 protection for 1 Mbps. The Pro tier costs $3.90 per month for L3, L4, and L7 protection for 1 Mbps. The Custom tier provides further features but requires contacting GCore’s sales team for a quote. GCore does warn interested buyers that their prices might change depending on location.
Also read: Types of DDoS Attacks
DDoS Protection Techniques
DDoS protection providers can defend your network or website through a number of different tactics and techniques. Each comes with its own strengths and weaknesses. The three most commonly-used tactics are the clean pipe method, content delivery network (CDN) dilution, and TCP/UDP-DDoS proxy.
The clean pipe method essentially directs all traffic through a decontamination pipeline, identifying and separating malicious traffic from legitimate traffic. The malicious traffic is then blocked, while the legitimate traffic is allowed to access your website.
A CDN is a collection of distributed networks that serve content to users. As such, servers closest to a user will provide them with content instead of the original server. The large bandwidth a CDN offers makes it ideal for soaking up DDoS attacks at network (L3) and transport (L4) layers. Additionally, since the original server is not the one responding to user requests, it’s much harder for DDoS attacks to reach the target server.
Finally, TCP/UDP proxy protection functions similarly to CDN dilution but for services that use transmission control protocol (TCP) or user datagram protocol (UDP). Services that use these protocols include email and gaming platforms.
Bottom Line: How to Choose a DDoS Protection Service Provider
Core DDoS solution features include detection of the early stages of an attack, the scale to absorb the volume of traffic, and the ability to mitigate the source of the attack. This can be done via static or custom rules, or through an evolving set of defensive actions as the attack morphs toward additional targets.
A good DDoS protection solution should offer:
- A service level agreement with a guaranteed time to mitigation (TTM)
- Consistent application uptime and availability
- Quality and accuracy of mitigation
- Fast and simple on-boarding
- Integrations with Terraform and other APIs
In addition, most DDoS mitigation solution providers bundle Web Application Firewall functionality to prevent DDoS attacks at the application layer. However, voice over IP (VoIP) and telecom-based DDoS campaigns are very much on the rise. As it is not a traditional web application, IT teams should verify that VoIP protection is included in their DDoS solution to effectively protect voice, communication, and collaboration applications.
More on DDoS: