Behemoth to Fight DDoS Challenges

August 6, 2014 prolog Comments Off on Behemoth to Fight DDoS Challenges

DDoS threat capabilities are increasing, and Incapusla’s “Behemoth” machine is rising to meet the challenge.


Turning Up the Power


The Internet is spreading across the globe, and computing capacities are being stretched at a blinding pace; in a sense, computer speed and resources are increasing at rates faster than society can manage. Those who are knowledgeable about the proliferation of network developments have a great deal of power at their disposal.


Some people are unfortunately abusing that power. On the global scale, computing capabilities are outpacing common security measures. Hackers are leveraging these stronger networks and computer resources to execute Distributed Denial of Service (DDoS) attacks on unsuspecting online businesses and organizations.


This boost in vulnerable technology can be seen in the recent surge in hacker attack size. DDoS attacks surpassing 100 Gbps are no longer considered outlandish, and are quickly becoming the norm. Cyber security industry experts are now talking about how to prevent the first terabyte-sized attack.


Enter; Behemoth


Recently, DDoS security provider Incapsula responded to the growing need for increased defense capabilities by introducing new Behemoth scrubbing servers. Each of the five currently deployed Behemoths can process over 100 million packets per second along with 170 Gbps of network force. A single Behemoth can already handle the biggest DDoS attacks that Incapsula has ever encountered. Together they can process over 800Gbps of DDoS traffic, twice as much as the largest DDoS attack to date.


But the capabilities of the Behemoth do not stop at just brute strength; its deployment speed is what makes it a true asset in combatting large-scale DDoS attacks.


How Does the Behemoth Work?


The beauty of the Behemoth lies in its ability to effectively manage both the Control Plane (peer connections deciding how to direct traffic between them) and the Data Plane (routers actually moving packets).


The traditional Data Plane and the Control Plane formats can manage the data flow of regular traffic; but when it comes to significant abnormalities, like massive DDoS attacks, network administrators need a device with better intuition at their disposal.


The Behemoth presides over the entire traffic flow entering Incapsula’s servers. It can communicate with the edge switches about how to efficiently distribute traffic, while simultaneously scrubbing suspicious packets.


Because of its proximity to the backbone of Incapsula’s servers, the Behemoth is able to mitigate attacks aimed at harming core infrastructure. This capability goes far beyond on-edge filtering and other network-layer defenses.



Incapsula has implemented five of these devices into their already existing PoP servers, and they plan to implement several more in the coming weeks. Within the last two months alone, the Behemoth in the Los Angeles data center mitigated an attack that reached 67 million packets per second, and another attack that hit 60 GBps of network saturation.



The mitigation hardware on the market was not up to handling the challenges of modern DDoS large-scale attacks. The hardware available was either agile, but too small to integrate on a large-scale, or big, but without the fine control needed to handle sophisticated attacks. The custom-made Behemoth allows Incapsula’s defense team to perform pinpoint packet analysis, while helping minimize false positives and optimizing traffic flow.


Comments are closed.