DDoS attacks are evolving— they are becoming more sophisticated and distributed. Now, they are starting to give real headaches to cyber-security experts.
Since the DDoS focus changed from network and transport layers (L3 and L4) to the application layer (L7), DDoS attacks are more challenging to mitigate. The volume of these attacks is also getting out of control. DDoS sources or bots are now distributed to every corner of the earth and into anything connected to the Internet. If something has IP, like cameras, NAS, servers, mobiles, or IoT devices, it can be turned into a bot and commanded to attack.
So, what can a DDOS protection service do to protect you from a DDoS attack?
- Content Delivery Networks (CDNs) are a great defense against DDoS attacks because they redistribute traffic to edge servers. They eliminate the single point of failure by helping the victim (server) process traffic. CDNs can use DNS or Anycast technology.
- Web Application Firewall (WAF) uses a set of rules, blacklists, or whitelists to filter traffic. Most WAFs use behavior-based rules to measure stress (DDoS attack) against a baseline of “ordinary traffic”.
- DDoS protection mechanisms might also include rate limiting, a dashboard to manage traffic, threat intelligence databases, and managed services with support.
In this post, we’ll review the best 8 DDoS protection services— plus three more worth mentioning. All these services include all or most of those qualities that will reduce the impact of a DDoS attack.
- SolarWinds Security Event Manager – FREE TRIAL A SIEM solution that uses a multi-layer approach to monitor event logs from many sources, and detect and prevent DDoS activities. Get a 30-day free trial.
- Akamai Prolexic Routed. It uses Akamai’s massive CDN with scrubbing centers to identify and stop DDoS attacks in the cloud before they reach your assets.
- Sucuri Website Firewall. A cloud-based WAF with strong protection from DDoS attacks. It filters, and blocks suspicious DDoS traffic with intelligence and GeoIP detection.
- StackPath Web Application Firewall. A cloud-based WAF with emphasis on its edge locations and various techniques to detect and mitigate incoming DDoS attacks.
- Indusface AppTrana A fully managed application security solution, including cloud-based WAF, DDoS intelligent protection, Bot control, and CDN to stop DDoS attacks.
- Cloudflare. One of the largest CDN providers that offer protection against 3,4, and 7 layer DDoS attacks at a maximum capacity of 37 Tbps.
- Akamai Kona Site Defender. A WAF built on top of Akamai Intelligent Edge Platform and designed to protect web assets from large DDoS attacks.
- CloudBric’s SWAP. A fully-managed web security service with a cloud-based WAF based on artificial intelligence. The Cloudbric SWAP offers protection from Layer 3, 4, and 7 DDoS attacks.
- Other services.
- Link11. A web security suite that includes DDoS protection, a secure CDN, and more.
- AWS Shield. DDoS protection managed service for assets running on AWS, backed up by CloudFront CDN and Route53 DNS services.
- Imperva. A cloud-based DDoS (L3/4/7) protection with 44+ DDoS scrubbing centers.
8 Best DDoS Protection Service
SolarWinds Security Event Manager (SEM) is a Security Information and Event Management (SIEM) software, that provides real-time analysis of security alerts generated by the network or applications. SolarWinds SEM (formerly Log & Event Manager) is capable of monitoring event logs from many sources and identifying DDoS attacks.
- Automated threat detection and response.
- Forensics analysis.
- Cyber Threat intelligence
- Compliance reporting.
How can SolarWinds Security Event Manager protect you from DDoS?
SolarWinds SEM uses cyber-threat intelligence sourced from open communities to help identify and block blacklisted IPs. It attempts to go for the Botnet’s Command & Control Center using logs from a wide range of sources.
Price: The perpetual license starts at $5,093 and the subscription starts at $2,613. Register to Security Event Manager for a fully-functional 30-day free trial.
2. Akamai Prolexic Routed
Akamai is one of the leaders in CDN. Among their wide product portfolio, they offer an amazing DDoS protection service known as Akamai Prolexic Routed, which is tailored for data centers. Prolexic Routed is considered one of the fastest DDoS mitigation services with Terabit-scale protection. It comes with a fully-managed DDoS protection service backed up by Akamai’s SOC team 24×7.
- Protection from layers 3,4, and 7 DDoS attacks.
- Access to Akamai’s 24×7 SOC.
- Industry-leading time-to-mitigate SLA.
- View traffic data in real-time through a dashboard.
How Prolexic Routed stops DDoS attacks? It uses its large CDN to stop attacks at the cloud before they reach the victim. The L3 (network) traffic is deflected to any of Akamai’s 20 global scrubbing centers where traffic is analyzed and filtered. The Akamai SOC experts analyze traffic, apply an appropriate mitigation strategy, and forward legitimate traffic to its destination.
Download: Try Akamai’s Web Application Protector, a simplified DDoS and Application-Layer Security, free for 30 days.
3. Sucuri Firewall
Sucuri’s Firewall is a cloud-based WAF and Intrusion Prevention Systems (IPS). This comprehensive WAF is designed to protect you from OWASP’s top ten. It can safeguard against Malware, vulnerabilities, hack attempts, zero-day exploits, brute-force attacks, and of course DDoS.
- DDoS prevention and mitigation.
- Patching and system hardening.
- Zero-day exploits prevention.
- CDN with anycast to reduce traffic load and increase performance.
How does Sucuri help protect from DDoS?
Sucuri’s WAF is capable of mitigating layer 3,4 and 7 DDoS attacks. For Layer 7, it monitors inbound HTTP/HTTPS traffic and performs a browser challenge to validate if requests are coming from a normal browser, and not from a DDoS script. Sucuri also uses Machine Learning (ML) to improve the performance of the behavioral analysis.
Price: Basic ($199.99/yr), Pro ($299.99/yr), and Business ($499.99/yr).
4. StackPath’s Web Application Firewall
StackPath’s WAF is a cloud-based service with DDoS attack protection. It uses threat identification and mitigation technology, device-level fingerprinting, and wide DDoS attack profiling. StackPath is popular for its CDN of edge locations.
- Built-in policies.
- Bot traffic Protection
- Customized Rules Engine
- SSL Certificate Management
How can StackPath WAF protect you against DDoS?
StackPath’s WAF can detect DDoS attacks at layers 3, 4, and 7. It uses threshold rules (domain, burst, and sub-second) to identify layer 7 (application) DDoS attacks. Once identified, it relocates resources to the single victim (via CDN) and uses ML models to allow legitimate traffic to go through.
The service may take up to 65 Tbps of junk traffic before hitting your server. This uncommon level of capacity should be enough to stop some of the largest DDoS ever recorded.
Pricing: CDN ($10/month) and WAF ($10/month). Request a demo.
5. Indusface AppTrana
Indusface AppTranna is a WAF that aims to put your app first, by mitigating risks rather than stopping attacks. It is one of the few WAFs capable of identifying app vulnerabilities and patching them automatically.
- Vulnerability scanning.
- DDoS protection.
- Fully-managed service.
- Automated security scans and manual pen-testing.
- CDN with site acceleration.
- AppTranna portal for full visibility.
How does AppTrana help protect from DDoS?
The AppTrana DDoS protection service is capable of taking massive volumes of traffic. It monitors and filters requests from specific IP addresses based on source “geolocation” and identifies a DDoS attack (L3/4/7). It gives you access to whitelisting, in case legitimate traffic is blocked.
Pricing: Premium ($399/app/month billed monthly) and Advanced ($99/app/month billed monthly). Test AppTrana with a 14-day free trial.
Cloudflare is one of the largest CDNs in the world, composed of hundreds of data centers distributed across +100 countries. Cloudflare is pretty popular for its free tiers, such as its DNS resolution service (18.104.22.168). But the best benefit of Cloudflare’s massive CDN is the protection against malicious traffic.
- A capacity of 37 Tbps.
- Largest CDN and global Anycast network.
- Protection against 3,4, and 7 layer DDoS attacks.
- Rate-limiting for fine-grain control.
- Predictive security with IP reputation database.
What Cloudflare does to protect you from DDoS attacks? Since it is very likely that traffic going to your web app or site is running through CloudFlare’s network, it will catch it upstream before it hits your server. It can identify DDoS attacks and other botnet-generated traffic like data scraping, or spamming comments.
Download: Test the free plan for a single personal website.
7. Akamai Kona Site Defender
Akamai also offers Akamai Kona Site Defender, which is explicitly designed to protect web apps and sites against sophisticated DDoS attacks, including other common web attacks.
Akamai Kona Site Defender is a cloud-based and highly scalable DDoS protection solution for the enterprise. It provides a multi-layer (Layer 3,4, and 7) protection from the variety of new DDoS attacks. The service deflects L3 (IP, ICMP, ARP) traffic and absorbs L7 (HTTP/HTTPS) at the network edge.
- Intelligent CDN with approximately 300,000 servers.
- WAF identifies and filters malicious HTTP/HTTPS traffic.
- Pre-configured L7 firewall rules.
- Create lists to control traffic based on geo-IP.
- Adaptive rate controls.
- Access to AkamaiThreat Intelligence Team.
Price: Get a quote.
Download: Try Akamai’s Web Application Protector, a simplified DDoS and Application-Layer Security, for free for 30 days.
Cloudbric, headquartered in Seoul, South Korea, is a cybersecurity software development company. Cloudbric’s cloud-based WAF is considered as one of the newest sophisticated solutions to protect against XSS, SQL injections, and DDoS.
Cloudbric’s WAF uses Smart Web Application Protection (SWAP), which is Cloudbric’s patented mechanism that employs AI (pattern matching, semantics, and heuristic analysis) and a set of rulesets to identify and stop attacks.
- Filters layers 3,4, and 7 of DDoS attacks.
- WAF is based on AI and deep learning to recognize attack patterns.
- Scale up to 20 Tbps when using a CDN (Cloudbric does not offer CDN).
- Dedicated managed service with 24/7 security monitoring.
- WAF comes with a proprietary 27-rule set.
Sign up with Cloudbric to get a free trial.
Other Services Worth Mentioning.
- Link11. Leading IT security company with patented DDoS protection for websites and IT infrastructure. Link11 Web Security Suite includes DDoS protection for web, Bot management, Zero-touch WAF, threat intelligence, and Secure CDN.
- AWS Shield. Amazon Web Services (AWS) Shield is DDoS protection managed service for applications running on AWS. An advantage of AWS Shield is that it is backed up by AWS’s CloudFront CDN and Route53 DNS service. AWS Shield provides protection for Layer3,4, and 7.
- Imperva is a multi-cloud platform designed to protect apps, edge, and databases. Imperva offers a cloud-based DDoS protection service that includes 44+ DDoS scrubbing centers, protection from 6 Tbps, and protection from layers 3,4, and 7.
The best strategy against DDoS attacks is to prepare beforehand. A successful DDoS attack can damage an entire business’s revenue, reputation, and productivity. Waiting until you are under attack and then look for help, is not a good solution.
Although a DDoS protection service will not stop the attack— it will mitigate it. It will make it less hostile so that your server can still respond to legitimate traffic— until the DDoS attacker runs out of resources.
To protect your IT infrastructure, on-premises tools like SolarWinds Security Event Manager or Akamai Prolexic Routed will do a great job. For distributed web apps, use a combination of large CDNs with intelligent WAFs. Akamai and Cloudflare have the largest CDNs+WAF. But Sucuri WAF and IndusFace AppTrana have intelligent filtering systems.