Infrastructure & Mitigation Technologies
Deployment & Service Methods
Help & Support
DDoS Protection Services Review
How to Choose a DDoS Protection Service
The top performers in our review are Imperva Incapsula Enterprise, the Gold Award winner; F5 Silverline DDoS Protection, the Silver Award winner; and Arbor Cloud, the Bronze Award winner. Here’s more on choosing a provider to meet your needs, along with details on how we arrived at our ranking of these 10 services.
According to top distributed denial of service (DDoS) protection service providers, DDoS attacks are on the rise and costing companies more than ever. But what is DDoS and what does it mean? You've heard of certain famous cyberattacks; remember when PlayStation and Xbox were down during Christmas 2014? Many of the most infamous hacks in computer history were caused by DDoS attacks.
When a DDoS attack happens, a hacker is deliberately trying to crash someone's network, website or specific network component, like a router. The reasons behind these attacks vary. Some are caused by hacker activists or "hacktivists" trying to draw attention to their cause, while others are caused by commerce. There have been cases where competing companies have sabotaged one another to undermine customer confidence, damage a company's brand and drive traffic to their own site. DDoS attacks contribute not only to huge financial losses, but losses in customer loyalty. Imagine having the power to bring your competitor's business to a screeching halt.
In order to prevent an attack, many corporations, especially ones that rely on network traffic and ecommerce, are increasingly turning to DDoS protection services. Some companies only call these protection services when they are under attack, but in today's world with ever-increasing threats, the smartest defense is to protect your network from troublesome hackers and malicious attacks before the threat becomes real.
How Does DDoS Work?
A DDoS attack is one of the most complex threats your business can face. And it's so complex because there are several categories of DDoS attack methods; each category has a whole host of specific attacks. The above table shows some of the common attacks used by hackers and their respective category. The goal of a DDoS attack is to shut a business down, which is commonly executed by overwhelming or exhausting the company's network or website.
One form of attack is a volumetric attack, which sounds exactly like what it does: It overwhelms a website or network with a flood of traffic, creating enough volume to destabilize a network's bandwidth or crash a site. The easiest way to think of this type of attack is to imagine a traffic jam: The roads are so congested you can't even move. With a volumetric attack, a hacker is sending so much traffic, it overwhelms the server. This does damage in two ways: One, legitimate traffic can't reach your site, and the company loses customers, potentially damaging your brand forever. Two, ecommerce shoppers cannot get through to purchase goods, costing your company thousands in revenue.
A common deployment method for a volumetric attack is a botnet, or zombie army. A botnet consists of thousands of computers that have been hacked and are being used without owners' awareness. The hacker seizes control of the infected army of computers and directs them to assault the desired target. If thousands of computers and even hundreds of thousands are all trying to access the same site at once, relentlessly submitting requests, that can crash the system, causing a DDoS outage.
To ensure your computer isn't drafted into the zombie army, installing antivirus software can detect bot activity and sweep your system. Also, be mindful of malware, as hackers often use malware, tricking you so they can control on your devices. To find the right kind of software for your computer, check out our reviews on antivirus software. We also have more articles about DDoS Protection Services in our learning center.
Application Layer Attacks
The internet is based on seven vertical layers; each layer uses certain protocols to transmit information and traffic up the chain, which is why attackers want to target various protocols and layers of the open system interconnection (OSI) model. The seventh layer processes SMTP and HTTP communication, which manages web browsers and email services, among other programs. Application layer attacks use the seventh layer to target the application interface by mimicking real or human behavior. These type of attacks are hard to detect, are more sophisticated and are gaining in popularity than other types of DDoS attacks. The goal of an application layer attack is not to overwhelm resources with a flood of requests, but rather to exhaust resources by consuming too much.
Industry research shows, starting in 2010, a spike in layer seven attacks. These attacks are stealthier and harder to detect than other methods hackers use to cripple networks.
These attacks are designed to consume server resources and those of other communication devices. These attacks operate by sending a barrage of open requests, which servers and other communication devices answer and then wait for a packet response. The requests are generated by fake IP addresses, so when your devices query back, it never goes anywhere. This causes the devices to have open resources, with less availability to answer real requests. If your servers are busy answering bogus requests, they don't have the capacity to respond to legitimate traffic. Using protocols like TCP/IP, attackers use a flood of requests that effectively shut down your network resources.
Why Does My Business Need Protection?
Market research indicates that DDoS attacks are becoming more popular and more sophisticated. The easier a target you appear to be, the more likely it is that at some point you and your website can fall victim to hackers. Just as you wouldn't wait for your house to be on fire to install a smoke detector, why wait for your business to be attacked before installing DDoS security?
Now that you know the basics of a DDoS attack, you can see the dangers in operating your business online without protection. If you run a site dependent on traffic or ecommerce, it's essential that your services be available to consumers 24/7. Therefore, being proactive about security could save you thousands in lost revenue and protect the invaluable asset of a good reputation.
How to Protect Your Business
You probably want to know how to prevent DDoS attacks. It's important to note that attacks are increasingly more sophisticated, and malicious actors are never going to stop engineering new ways to steal or corrupt online resources or data. You are never going to be 100 percent protected from every threat, but you can elect to have the best DDoS protection from industry leaders who work every day to track and combat new threats; some services guarantee 100 percent up time. In addition to DDoS protection, it's important to cover your other bases, especially with employee security training. Teaching your staff what DDoS attack traffic patterns look like and how to respond to them when you are under attack can be extremely helpful in lessening the effects of an attack.
That said, there are a variety of methods to mitigate and prevent DDoS attacks, most of which employ some form of traffic re-routing.
Threat mitigation and protection comprises three parts: infrastructure, methodology and deployment. Think of this model in the following way: If a provider has the methods to defend you from an attack but no infrastructure to support its resources, then the provider can't really use the methods. Further, if a provider has both the methods and infrastructure, but they can't effectively deploy technologies, then none of these methods help you when you need it most. The takeaway here is that you need a provider who can accommodate all three protection layers. They need to have a strong, fortified network that can handle incredible bandwidth and traffic, a variety of protection methods to suit your business network and site design, and fast, responsive deployment techniques customizable for your particular needs.
One important thing to consider is customization and scalability. As your business grows, your resources will likely grow as well, which means you could outgrow your original protection model. So you need to customize your service. It also means that as you grow, the cost could become greater, so it's important to opt for a service offering scalability payment models.
The first important aspect of a service provider's threat mitigation and protection ability involves infrastructure; specifically, the provider's capacity to detect and filter traffic. The greater the capacity, the more effectively the service can mitigate an attack. Several components contribute to capacity. Network capacity speaks to the total network bandwidth. Scrubbing capacity refers to the total bandwidth dedicated to cleaning traffic. That's an important difference. Think of it like a person's strength; you might have strong muscles, but how much of your strength are you using to lift a heavy object you don't normally lift regularly? The difference is fine, but relevant.
Data centers, also known as security operations centers (SOCs) are also important for infrastructure capacity. SOCs are scattered globally and use software and hardware as well as trained, skilled technicians to constantly monitor and scrub infected traffic. These data centers are the core of a service provider's ability to detect and stop a DDoS attack. The more SOCs and the more globally diverse or spread out they are, the better.
The geographic location of the SOC matters, because depending on traffics' origin, the farther the traffic has to travel, the slower the response may be, so having data centers spread out across the world ensures fast traffic optimization, monitoring, detection and mitigation. Location matters for another reason as well, redundancy, or in this case, a backup system that is in place should the primary one fail.
Normally, this term has a negative connotation, but in the case of security, redundancy is crucial. If a data center were to go down because of a natural disaster, you'd need a redundant network, where another nearby data center picks up the traffic of the affected data center.
These are some of the most important aspects of a service provider's infrastructure you should be aware of that allow a provider to offer fast and effective mitigation techniques.
Besides an extensive infrastructure, the second component of a good DDoS service is that the service providers have many methods at their disposal to mitigate attacks. Most of them involve re-routing traffic, controlling traffic rates or inspecting traffic; however, the important thing to note is that many of these methods are shared across the board by DDoS providers. What separates the winners from the losers, though, is the infrastructure enabling these techniques.
Mitigation services employ several different strategies to thwart DDoS attacks. Web proxies, BGP and DNS are all methods used to redirect traffic to a safe location or scrubbing center where technicians can cleanse traffic and wait out a hacker's attacks. All of these methods are effective for web traffic and require minor changes on your end, if any.
Other methods involve detection and inspections, like deep packet inspection or bot discernment. Both techniques inspect traffic on a deeper level to determine if the traffic is safe. They may also use behavioral identification to see if traffic acts in a malicious fashion, which is done by monitoring the communications in a network for behaviors associated with botnets, such as a high number of failed connections or communicating via IP addresses rather than server names, which is what most legitimate traffic does. Many of these behavioral-identification methods lead to query challenges, which like a CAPTCHA, force the traffic to pass an obstacle requiring verification before allowing the traffic to pass.
Most of the time these challenges are invisible to the user, unless one of the challenges is, in fact, a CAPTCHA. However, to protect the brand and image of the client they are protecting while not compromising speed and usability, providers usually offer a certain level of convenience to the end user. For the most part, protection happens seamlessly and so quickly that an end user has no knowledge of these security verification measures.
The last component in the three-piece model is deployment. Deployment is customized based on your needs, allowing you to choose from a variety of service levels, such as always on or on demand. In addition, deployment covers the method in which you want those services deployed, such as via the cloud or a hybrid model: cloud and on-site hardware, for instance. It might be helpful to think of this like eating from a cafeteria or fast-food establishment. You choose what to eat (service plan; e.g., always on), and then you choose how you want to eat it (deployment method; e.g., cloud.)
Deployment and service plans are entirely dependent on your level of risk, how much hardware you have, your level of IT support and your budget. If you have a high-risk website, like an ecommerce site that would severely impact your business if it went down, then always on would be important, and since you run an online business, you probably don't have a lot of network devices, so you'd probably want cloud-based deployment. On the other hand, if you have a low-risk, device-heavy network, you might prefer on-demand coverage and hybrid deployment using a mix of on-site hardware and cloud mitigation.
Once you choose a service provider, they can work with you to customize a service arrangement that best fits your needs.
Management & Support Options
Two additional categories to consider include management and support options, which help you maintain an effective protection strategy.
For the most part, DDoS is such a complex topic that most, if not all, providers manage the software for you. You have access to view reports and network activity, but you cannot configure your security settings. Still, if it's important for you to have hands-on management, you'll want to choose a provider that offers a management dashboard, which you log into through a web portal.
The exception, though, is if you opt for on-site deployment, thus on-site management, which is going to require you to provide the equipment, network bandwidth and IT support to configure and maintain your hardware.
Another concern is support. In the event of an attack, most providers will notify you of an attack, rather than you calling them; however, there is a two-part exception to this method. One is that if you opt for on-demand protection, you still have to call the provider when traffic spikes to confirm an imminent attack. Two, if you are delayed in responding to an internet security threat until one is already underway, you risk losing money and your reputation while you scramble to reach your DDoS service provider to resolve the problem. In both cases, it's extremely important that you reach the provider 24/7. Customer service is crucial.
In addition to choosing the best DDoS system for your network and business, we recommend working out a customized strategy of service and deployment with the provider you choose. We cannot emphasize it enough: We sincerely recommend being proactive in your internet security. If you feel that your business might be susceptible to attack, read our reviews to learn more about DDoS service providers, the services and methods they offer, and how well they compare against each other.
Evaluation Methods: How We Assessed DDoS Programs
At Top Ten Reviews, we typically test each provider's services; however, in this case, where it's impossible to simulate a cyberattack consisting of thousands of computers attacking one website at once, we had to rely on alternative methods for evaluation. We gleaned information about providers through phone interviews with company technicians and independent research. Through personal interviews with DDoS mitigation experts and independent research of each company’s website, white papers and additional resources, we tapped the current body of knowledge about the most important and need-to-know features of DDoS protection so we can tell you who and what your best option is for DDoS protection.
In addition, the DDoS service providers we reviewed in our lineup had no input or influence over our test methodology, nor was the methodology provided to any of them in more detail than is available through reading our reviews. Last, the results of our evaluation were not given to providers in advance of publication.
DDoS Protection Services: Our Verdict & Recommendations
With DDoS attacks growing in complexity and size daily, you need a DDoS protection service with a robust network and variety of mitigation techniques to thwart any attacks directed at your site. We found that Incapsula Enterprise, F5 Silverline DDoS Protection and Arbor Cloud offered the best protection.
Imperva Incapsula’s growing global network and scrubbing capacities equip it with the size needed to thwart large-scale volumetric attacks. Combined with the 27 data centers located all over the world, the service is prepared for even the most advanced DDoS attacks. In addition to enormous network capacity and a high number of data centers, Incapsula hosts a variety of mitigation techniques that intercept application layer, volumetric and protocol attacks.
With the recent acquisition of Defense.net, F5 has adjusted its service to offer cloud-based, on-site and hybrid deployment methods. Using both hardware and the cloud, F5 Silverline Protection is equipped for sophisticated DDoS attacks. This service surpasses Incapsula in scrubbing capacity, providing 2TB of bandwidth to filter, clean and remove infected traffic. While the service does not offer unlimited mitigation, you can use this protection service on-demand or always on, customizing it to fit the needs of your company.
Similar to the other top contenders, Arbor Cloud offers a large network and scrubbing capacity. With 1.14TB of bandwidth, the service is prepared for volumetric attacks. The service offers a variety of protection techniques, including IP blocking, rate limiting, automatic bot discernment and more. While the cloud-based mitigation techniques are impressive, Arbor is known for its hardware. The service is in a unique position, where it offers its advanced hardware to many of its competitors.
While DDoS protection services employ similar mitigation techniques to thwart attacks, they differ in price, deployment methods and network size. While bigger does not necessarily mean better, the services that offer larger networks and more mitigation technologies allow for more customization so that you employ the best protection service for your IT infrastructure.