1. Imperva
Imperva DDoS Protection can deal with any type of asset with a 3-second time to mitigation for any type of attack. Onboarding is said to be easy and fast, while the operation is simplified with out-of-the box policies and self-adaptive tuning capabilities. Visibility and reporting are augmented by Imperva Attack Analytics. This approach provides a holistic view of all attack types and layers, and correlates these to accelerate the investigation process while reducing alert fatigue. Imperva works across a range of industries, including: eCommerce, energy, financial services, gaming, healthcare, manufacturing and technology.
Key Differentiators
- Protects websites, networks, DNS and individual IPs
- Stops Layer 3, 4 and 7 attacks
- Capacity of 9 Tbps, 65 GPPs
- 24×7 Support and SOC with global coverage
- A single stack architecture reduces latency and results in fast remediation of DDoS attacks and other web application threats
- Each of the 50 points of presence (PoPs) within the Imperva global network runs all security services (DDoS, WAF, API security, bot management)
- Imperva provides a 3-second mitigation SLA for any DDoS attack, regardless of type, size or duration, without disrupting legitimate traffic
- Delivers real-time visibility into DDoS threats with reporting and attack correlation through Imperva Attack Analytics or a SIEM integration
- Self-adaptive security policies, self-service configuration and Terraform and API support
Pricing
As of this writing, Imperva does not make its DDoS protection pricing available on its website. However, interested buyers have access to a free trial.
2. Radware
Radware offers DDoS protection across any infrastructure implementation for the public cloud, the enterprise, and specifically for service providers. It secures the data center, private cloud, public cloud and 5G infrastructure using a solution that is agnostic to the environment and was designed to help service providers protect large-scale networks.
Key Differentiators
- Radware’s attack mitigation architecture is flexible and extensible
- Can be tailored to customers such as telecom and cloud operators
- Wide security coverage with automated zero-day DDoS attack protection
- Offers hybrid, always-on and on-demand cloud DDoS service deployment options
- Cloud SSL-attack protection that maintains user data confidentiality
- Single pane of glass with unified portal and fully managed service by Radware’s Emergency Response Team
- Also offers web application security for integrated application and network security
- Combines always-on detection and mitigation with cloud-based volumetric DDoS attack prevention, scrubbing, and 24×7 cyber attack and DDoS security
Pricing
As of this writing, Radware has not made its DDoS protection pricing available on its website.
3. Neustar
Neustar UltraDDoS Protect offers 12+ Tbps of DDoS mitigation and a global dedicated data scrubbing network to help maintain an online presence, reduce the threat of theft, and protect the bottom line. Neustar offers on-premises hardware to stop smaller attacks instantly, as well as the UltraDDos Protect cloud for when attack volume and complexity explode.
Key Differentiators
- Automation that moves attacks into mitigation quickly
- Always ready options for DNS, BGP, and hybrid configurations
- Carrier-class DDoS mitigation that includes a massive network of dedicated scrubbing capacity
- OSI Layer 3, Layer 4, Layer 7 and IPv6 capable
- Globally positioned scrubbing infrastructure
- Harnesses multiple DDoS mitigation vendor technologies including Arbor, Cisco, Citrix, Juniper, HP, Neustar
- Multiple Tier 1 internet network providers
- Offers on-premises hardware and cloud-based protection
- Neustar can secure VPN connections via VPN Protect
- Can connect to 61 global data centers for traffic control and increased security
Pricing
As of this writing, Neustar has not made its DDoS protection pricing publicly available on its website.
4. NetScout
To stop sophisticated DDoS attacks, NetScout offers a portfolio of DDoS attack protection products and services that enable organizations to customize a solution, either hosted in the cloud and on premises. Hybrid stateless, on-premises and cloud protection can stop today’s high-volume attacks, which often exceed 600GB/sec, as well as stealthy application-layer attacks against stateful infrastructure devices, such as firewalls, IPSs, and ADCs.
Key Differentiators
- Located on premises, the NetScout Arbor Edge Defense (AED) is an in-line, always-on product that can automatically detect and stop all types of DDoS attacks – especially low and slow application-layer attacks
- Placed on the network edge between the router and network firewall to provide best-of-breed DDoS protection, AED screens incoming and outgoing traffic using stateless packet processing technology
- Can easily scale and block in bulk inbound DDoS attacks and indicators of compromise
- Its Cloud Signaling capability automatically routes traffic to one of 14 scrubbing centers for analysis and mitigation to stop the attack within minutes
- The ATLAS Security Engineering and Response Team (ASERT) provides real-time attack information that enables it to automatically block up to 90% of DDoS attack traffic before it starts inspecting the first attack packet
- Suite of automated countermeasures that identify and block more complex attacks at the network or application layers
- Stops threats such as scanning, brute force password attempts, and known Indicators of Compromise (IoCs)
- Blocks outbound traffic from compromised internal device communications with known bad sites (e.g. attacker command & control infrastructure)
Pricing
As of this writing, NetScout has not made its DDoS protection pricing available on its website.
5. Ribbon
Ribbon offers a suite of core Session Border Controllers with advanced DDoS detection and mitigation capabilities. It provides DDoS detection and mitigation through configuration and dynamic adaptation at scale, with little to no impact on traffic throughput or packet processing.
Key Differentiators
- ACL policing applies access level control to allow traffic from trusted pre-configured IP addresses
- IP address learning: When IP addresses used by valid peers/endpoints are not known prior or may change dynamically, peers are confirmed as trusted only after receipt of specific valid SIP requests
- Media packet policing accepts media packets only if they correspond to a session negotiated via SIP/SDP signaling
- Media address learning: If a peer media address advertised in SIP/SDP does not match the actual source address of the RTP packets, it is possible to learn the peer media address to perform policing of subsequent packets
- Priority aware packet policing: rate limit SIP signaling packets on a microflow basis and give higher priority to packets from authenticated sources than those from unknown sources to increase the likelihood that desired traffic gets let through while malicious traffic is stopped
- Application-level call admission control (CAC) to rate limit traffic on a peer/IP trunk/IP trunk group level and can also be provided to limit bandwidth usage
Pricing
As of this writing, Ribbon has not made its DDoS protection pricing available on its website.