Infrastructure Protection – Introduction

Incapsula’s Infrastructure Protection allows organizations to protect entire networks and subnets from network (Layer 3 and 4) DDoS attacks . Infrastructure Protection can be used to protect any online asset such as websites, DNS servers, SMTP servers and any other IP based application. This service leverages Incapsula’s multi-terabit network capacity and packet processing capabilities to absorb and mitigate the largest and most sophisticated DDoS attacks.

Incapsula Infrastructure Protection can be deployed as an always-on or an on-demand solution and can be combined with all Incapsula services for extending protection and monitoring capabilities.


  • Layer 3 and 4 DDoS protection for IP ranges and subnets hosting any IP based application
  • Terabit DDoS scrubbing capabilities
  • Attack monitoring and mitigation backed up by 24x7 NOC and SOC teams
  • SLA for DDoS mitigation performance
  • Real-time dashboard for traffic monitoring and event analysis

How Does Infrastructure Protection Work?

Incapsula Infrastructure Protection allows organizations to tunnel all ingress traffic (traffic from the Internet to the origin network) through the Incapsula network. The organization's edge routers use the Border Gateway Protocol (BGP) to announce subnets and IP ranges to be advertised by Incapsula, forcing all Internet routes pointing at their data center to point at Incapsula instead. Infrastructure Protection uses Generic Routing Encapsulation (GRE) tunneling to forward traffic to the origin network after the traffic has been scrubbed from any DDoS attack.

The Behemoth

At the core of Incapsula’s Infrastructure Protection service is its proprietary DDoS scrubbing appliance named Behemoth. The Behemoth performs all Layer 3 and Layer 4 DDoS scrubbing and then tunnels clean traffic over a GRE tunnel to the origin network. Each of Incapsula’s data centers is equipped with one or more Behemoth appliances. In addition to scrubbing any DDoS attack, Behemoth provides packet level visibility and packet flow control to our 24x7 Operations Center teams.

Traffic Flow

The Border Gateway Protocol (BGP) is used to control the traffic flow and route traffic through the Incapsula network. In order to route traffic sent to the origin network through Incapsula, organizations configure their routers to announce that their IP ranges are to be advertised by the Incapsula routers. This is done by establishing BGP peering between the Incapsula router and the organization’s routers.

Once Incapsula starts advertising the customer’s IP ranges, all Internet routes for the origin network point at the Incapsula network. Ingress traffic sent to the protected IP ranges is automatically routed to Incapsula where DDoS scrubbing takes place. After the traffic has been scrubbed, Incapsula forwards clean traffic to the origin network over a pre-established GRE tunnel.

Infrastructure Protection uses an asymmetric channel in which ingress traffic is routed through Incapsula, while egress traffic (traffic from the origin network to the Internet) is routed through the organization’s ISP.

During an Attack

Infrastructure Protection can be deployed as an always-on or an on-demand solution. Organizations choosing to deploy Infrastructure Protection as an always-on solution route their traffic through Incapsula at all times. Organizations choosing to deploy Infrastructure Protection as an on-demand solution route their traffic through Incapsula only when they are under a DDoS attack.

Infrastructure Protection reacts to DDoS attacks at a micro-second scale by utilizing multiple mechanisms, such as detecting anomalies in traffic patterns and identifying known attack patterns. Attack mitigation engines are dynamically adjusted according to the attack severity as well as the state of the origin network. After traffic has been scrubbed, clean traffic is forwarded to the origin network over a GRE tunnel.

Infrastructure Protection is backed up by 24x7 NOC and SOC teams that monitor attacks, adjust detection and mitigation configuration, and respond to customer requests and enquiries.

Why Does Incapsula Use a GRE Tunnel?

Incapsula uses a GRE tunnel to route clean traffic to the origin (and also to establish BGP peering for on-demand Infrastructure Protection deployments).

When Incapsula advertises the customer’s IPs or IP ranges, all packets targeted to these IPs/ranges are directed to the Incapsula network. The Incapsula Behemoth appliances scrub the traffic, filtering incoming packets and dropping any DDoS attack packets. The remaining “legitimate” packets are passed on to the customer according to their destination IP through the GRE tunnel.

The GRE tunnel is the only way that the packets can reach the customer at this point, because Incapsula is the only entity advertising the customer’s IPs/ranges. This means that even if Incapsula were to send the packets back to the Internet, they would return to Incapsula again.

How To

Read More