The technical evaluation of vendors is split into three categories:
Deployment options, mitigation capabilities, and user experience UX. The following table provides a top-level summary of all three categories; a detailed analysis can be found in each of the following sections.
The technical evaluation of vendors is split into three categories:
Deployment options, mitigation capabilities, and user experience UX. The following table provides a top-level summary of all three categories; a detailed analysis can be found in each of the following sections.
Deployment & Service Options |
|||||
Cloud ProtectionA DDoS protection provisioned as a service that is based on scrubbing centers on the cloud to which organizational traffic is routed. (read more) |
|||||
On-premises ProtectionOn-premises DDoS protection is a term used in DDoS mitigation architecture to describe technologies positioned at customer premises typically an appliance or a virtual appliance inside the customer data center. On-premises is in contrast to cloud based protection. (read more) |
|||||
Web Protection (DNS diversion) |
|||||
Infrastructure Protection
|
|||||
Fully Managed ServiceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service. | ||||
Non-web protocols Support |
|||||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) |
30 | 86 | 4 | ||
SMB plansDDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
On top of their Enterprise plan, CloudFlare and Incapsula offer lower-end plans for SMBs. see SMB Section |
||||
Overall Deployment Score |
72% | 69% | 65% | ||
Mitigation Completeness |
CloudFlare mitigation is solid, but Incapsula and F5 are much more mature. | ||||
Reverse Proxy & Caching |
|||||
Web Challenges |
|||||
Signatures |
|||||
Blacklist/Whitelist |
|||||
Rate limitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) |
|||||
DNS Protection
|
|||||
Overall Mitigation Score |
96% | 73% | 100% | ||
UX and Reporting |
Incapsula User Experience (UX) is excellent, CloudFlare is also very good, F5 is basic. | ||||
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) |
Excellent | Good | Basic | ||
Easy of Navigation |
Excellent | Excellent | Good | ||
Security Configuration |
Good | Basic | Basic | ||
Security Events |
Excellent | Good | Excellent | ||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.
ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
Basic | Basic | Excellent | F5 has excellent DDoS Forensics. | |
Overall UX and Reporting Score |
77% | 69% | 65% |
Deployment & Service Options |
|||||
Cloud ProtectionA DDoS protection provisioned as a service that is based on scrubbing centers on the cloud to which organizational traffic is routed. (read more) |
|||||
On-premises ProtectionOn-premises DDoS protection is a term used in DDoS mitigation architecture to describe technologies positioned at customer premises typically an appliance or a virtual appliance inside the customer data center. On-premises is in contrast to cloud based protection. (read more) |
|||||
Web Protection (DNS diversion) |
|||||
Infrastructure Protection
|
|||||
Fully Managed ServiceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service. | ||||
Non-web protocols Support |
|||||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) |
30 | 86 | 4 | ||
SMB plansDDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
On top of their Enterprise plan, CloudFlare and Incapsula offer lower-end plans for SMBs. see SMB Section |
||||
Overall Deployment Score |
72% | 69% | 65% | ||
Mitigation Completeness |
CloudFlare mitigation is solid, but Incapsula and F5 are much more mature. | ||||
Reverse Proxy & Caching |
|||||
Web Challenges |
|||||
Signatures |
|||||
Blacklist/Whitelist |
|||||
Rate limitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) |
|||||
DNS Protection
|
|||||
Overall Mitigation Score |
96% | 73% | 100% | ||
UX and Reporting |
Incapsula User Experience (UX) is excellent, CloudFlare is also very good, F5 is basic. | ||||
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) |
Excellent | Good | Basic | ||
Easy of Navigation |
Excellent | Excellent | Good | ||
Security Configuration |
Good | Basic | Basic | ||
Security Events |
Excellent | Good | Excellent | ||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.
ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
Basic | Basic | Excellent | F5 has excellent DDoS Forensics. | |
Overall UX and Reporting Score |
77% | 69% | 65% |
Pricing is obviously a major factor in selecting a vendor. Where possible we added the pricing of the portrayed services including pricing of SMBs plans and naked pricing factors for F5 and Incapsula. Unfortunately, vendor do not will to share their Enterprise prices and you will need to toil and get a quote from each one.
This section compares the cloud-based and appliance-based deployment options provided by vendors. This section, more than any other, contains items that are “deal breakers” for the customer and can scope out a vendor.
When using a cloud-based protection service, the first question you should ask is how will your traffic traverse your provider data centers (or scrubbing centers, in DDoS jargon)? The first method is DNS diversion, also referred to as web protection. Another method is BGP diversion, also called infrastructure protection. F5 and Incapsula fully support these diversion methods. CloudFlare also claims to support it, but we did not have sufficient data to validate its extent.
There is another more specific diversion method for non-web protocols that only Incapsula and F5 support.
Service level options are critical evaluation criteria for many organizations. When under attack (‘War Time’), all vendors will assume full responsibility and provide emergency response. In ‘Peace Time,’ CloudFlare and Incapsula mostly rely on self-service, whereas F5 provides fully managed service.
Diversion Method: DNSThe diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | |||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
|||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
|||||
Non-web protocols |
(IP Protection) |
Both vendors support non- web protocols. | |||
Diversion Method: BGP |
|||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
|||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
|||||
Service Features |
|||||
SSL support – HSM
|
|||||
Emergency ResponseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) |
|||||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service. | ||||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) |
30 see locations |
86 see locations |
4
see locations |
If you have acceleration needs, F5 is likely to be ruled out. | |
Entry Level |
|||||
SMB plansDDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
F5 and Incapsula offer a plan for SMBs |
Diversion Method: DNSThe diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) | |||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
|||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
|||||
Non-web protocols |
(IP Protection) |
Both vendors support non- web protocols. | |||
Diversion Method: BGP |
|||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
|||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
|||||
Service Features |
|||||
SSL support – HSM
|
|||||
Emergency ResponseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) |
|||||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service. | ||||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) |
30 see locations |
86 see locations |
4
see locations |
If you have acceleration needs, F5 is likely to be ruled out. | |
Entry Level |
|||||
SMB plansDDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more) |
F5 and Incapsula offer a plan for SMBs |
The number of data centers can be essential. If you want the service to give you acceleration, only CloudFlare and Incapsula offer a CDN with 86 and 30 POPs, respectively. Even if improving acceleration is not a goal, it is still an advantage because it ensures that you will not suffer any performance degradation. It can also be important for regulatory compliance, for example, in cases in which you cannot use a POP outside your own country.
Budget is always a critical factor. If you cannot spend more than 5,000 USD annually on DDoS mitigation, only the CloudFlare Business and Incapsula Business plans targeting SMBs are suitable. (See more under the SMBs section.)
Another way to implement DDoS mitigation is to use appliances: physical or virtual, DDoS dedicated or as a feature inside WAF or IPS. The report does not cover appliances, but it is important to know which vendor has them in case you go for a hybrid approach. F5 offers ASM (Application Security Module), while Imperva Incapsula offers Imperva SecureSphere. Both are WAF (Web Application Firewall) with DDoS capabilities.
Dedicated DDoS ApplianceAn appliance whose primary function is DDoS mitigation. A DDoS appliance can be either physical or virtual. (read more) |
||||
Physical Appliance |
||||
Virtual Appliance |
||||
WAF Appliance with DDoSA technology that protects web servers form many types of attacks and also acts as DDoS mitigation layer. (read more) |
Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere. | |||
Physical Appliance |
||||
Virtual Appliance |
Dedicated DDoS ApplianceAn appliance whose primary function is DDoS mitigation. A DDoS appliance can be either physical or virtual. (read more) |
||||
Physical Appliance |
||||
Virtual Appliance |
||||
WAF Appliance with DDoSA technology that protects web servers form many types of attacks and also acts as DDoS mitigation layer. (read more) |
Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere. | |||
Physical Appliance |
||||
Virtual Appliance |
Dedicated DDoS ApplianceAn appliance whose primary function is DDoS mitigation. A DDoS appliance can be either physical or virtual. (read more) |
||||
Physical Appliance |
||||
Virtual Appliance |
||||
WAF Appliance with DDoSA technology that protects web servers form many types of attacks and also acts as DDoS mitigation layer. (read more) |
Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere. | |||
Physical Appliance |
||||
Virtual Appliance |
DDoS mitigation capabilities are the core of your decision. All vendors can block the majority of DDoS attacks. Nevertheless, there are some differences that are covered below. CloudFlare has significant security gaps because it lacks Rate Limit and its web challenges type is partial.
DDoS mitigation capabilities are the core of your decision. All vendors can block the majority of DDoS attacks. Nevertheless, there are some differences that are covered below. CloudFlare has significant security gaps because it lacks Rate Limit and its web challenges type is partial.
All vendors offer web proxy with caching capabilities. This extremely basic technology is the most effective, and will block many attacks.
However, attackers are persistent today, and can find ways to pass this mitigation, foremost by attacking dynamic pages, leading us to the next most significant mitigation – web challenges.
Ideally, we want the vendor to address the entire spectrum of challenges. F5 fulfills this demand completely! Incapsula is almost there, with one challenge (NoCAPTCHA ReCAPTCHA) missing. CloudFlare, on the other hand, has more gaps. It does not have the Cookie Validation, which in most cases is all you need to stop an attack with minimal impact on legitimate traffic.
Proxy / Caching |
|||||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. |
|||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
|||||
Web Challenges |
CloudFlare Web Challenges coverage is partial. | ||||
Cookie Validation |
|||||
JavaScript Challenge |
|||||
Silent Bot Detection
|
|||||
Modern CAPTCHA |
|||||
CAPTCHA |
|||||
Signatures |
|||||
Vendor
|
|||||
Customer
|
|||||
Blacklist/Whitelist |
|||||
BL IP |
|||||
BL URL |
|||||
BL Geo-Protection |
|||||
Whitelist |
|||||
Rate limitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) |
CloudFlare has a security gap in Rate Limit. | ||||
IP |
|||||
URL |
|||||
Geo-Protection |
|||||
DNS |
|||||
DNS Protection |
|||||
SCORE |
96% | 73% | 100% | CloudFlare mitigation is good, but F5 and Incapsula mitigation stack is excellent. This allows them to block attacks more accurately. |
Proxy / Caching |
|||||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. |
|||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
|||||
Web Challenges |
CloudFlare Web Challenges coverage is partial. | ||||
Cookie Validation |
|||||
JavaScript Challenge |
|||||
Silent Bot Detection
|
|||||
Modern CAPTCHA |
|||||
CAPTCHA |
|||||
Signatures |
|||||
Vendor
|
|||||
Customer
|
|||||
Blacklist/Whitelist |
|||||
BL IP |
|||||
BL URL |
|||||
BL Geo-Protection |
|||||
Whitelist |
|||||
Rate limitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) |
CloudFlare has a security gap in Rate Limit. | ||||
IP |
|||||
URL |
|||||
Geo-Protection |
|||||
DNS |
|||||
DNS Protection |
|||||
SCORE |
96% | 73% | 100% | CloudFlare mitigation is good, but F5 and Incapsula mitigation stack is excellent. This allows them to block attacks more accurately. |
CloudFlare does not have Silent Human Investigation and, in case of a JS passing bot, you will be forced to escalate to intrusive NoCAPTCHA ReCAPTCHA. Another disturbing point is that the CloudFlare JS challenge is visible to the user. It informs the user that it is being challenged with an advertisement of CloudFlare at the same time. Not cool.
All vendors offer both vendor signatures and user signatures. In vendor signatures, CloudFlare has the advantage because it lets you see and even tune them (while Incapsula and F5 signatures perform as a black-box). In user signatures, Incapsula has the upper hand due to the simplicity of signature creation, discussed in the next section.
CloudFlare does not offer any Rate Limit-based mitigation, which is a significant security gap. Typically, it is not recommended to stop attacks with Rate Limit technologies because it can also “rate limit” legitimate users. However, in some scenarios it is still an important tool. One prominent example is to protect mobile API: Challenges are not efficient, as they often cannot be used with RESTful APIs. In these cases, Rate Limit can be your only savior.
In addition to Application Protection, also known as Web Protection, all vendors offer Network Protection (BGP-based). All vendors have a black-box approach without any visibility into the technologies being used or the ability to make any configurations.
Good User Experience (UX) is more than a nice-to-have feature. It determines how much of the existing functionality you will utilize, how quickly you will understand a security event, and how quickly you can respond while under attack.
All vendors provide a decent UX, but undoubtedly Incapsula has a clear lead over the others. Incapsula offers an excellent user interface, navigation, and look and feel. CloudFlare also has a good look and feel, but it still seems a bit outdated compared to today’s slick SaaS application designs. F5, on the other hand, is still in the appliance age in terms of UI/UX. Apart from the real-time monitoring part, its interface is outdated and resembles the configuration of an appliance rather than an intuitive cloud application. To summarize: both CloudFlare and Incapsula are easy to navigate. F5 is a little behind.
Deploying a new web server is easy with CloudFlare and Incapsula, and also with F5 Silverline despite its outdated user interface. Deployment of a new network, in contrast, is easiest with Silverline where you self-service wise insert your network, and submit it for their NOC for review and final confirmation. With Incapsula it is a full service only – you can add new network by requesting it from their support.
Blocking an IP is easy and simple with all vendors. However, when you want to block a URL, CloudFlare requires that you request it from their support, which seems a hassle for such a simple action. Same for creating a signature. Incapsula is leading here with its simple yet expressive IncapsRules. F5 offers its famous iRules, which are the most expressive but more technical. In Customer Signatures CloudFlare has the upper hand as its rules are visible and configurable. With Incapsula you get the rules as black-box.
F5 and Incapsula monitoring is excellent – granular, shows well normal traffic versus attack traffic. With Incapsula it took only 15 seconds for traffic to be displayed, which is very good for distributed cloud service.
Look and Feel
The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) |
Excellent | Good | Basic | Incapsula’s look and feel is excellent, making the user experience both enjoyable and productive. | |
Ease of Navigation |
Excellent | Excellent | Basic | ||
Deployment |
|||||
New website (DNS) |
Excellent | Excellent | Basic | ||
New network (BGP) |
Full Service | Unknown | Excellent | ||
Security |
|||||
Block IP |
Excellent | Excellent | Excellent | ||
Block URL |
Excellent | Full Service | Good | Oddly, blocking a URL in CloudFlare can be done only with a request to its support. | |
Web challenge |
Excellent | Excellent | Basic | ||
Signatures (vendor)
|
Blackbox | Excellent | Basic | CloudFlare is the only one to provide visibility and control of its own signatures. | |
Signatures (customer) |
Excellent | Full Service | Good | Incapsula user signatures ‘IncapRules’ are both powerful and intuitive to use. F5 ‘iRules’ are powerful but less intuitive. CloudFlare signatures are made only by its support. | |
Real-Time Reporting |
|||||
Real traffic |
Excellent | Unknown | Excellent | ||
Blocked traffic |
Excellent | Unknown | Excellent | ||
Response time |
Excellent | Unknown | Unknown | ||
Events |
CloudFlare event methods are partial. | ||||
Web logs |
Excellent | Excellent | Excellent | ||
|
|||||
Call |
|||||
Syslog |
|||||
REST |
|||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.
ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
F5 is the only vendor to provide decent forensics by providing capture files (real-time and per event). | ||||
Detailed alert |
Excellent | Excellent | Excellent | ||
Event capture file |
Good | ||||
RT capture file |
Full | ||||
Score |
77% | 69% | 65% |
Look and Feel
The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) |
Excellent | Good | Basic | Incapsula’s look and feel is excellent, making the user experience both enjoyable and productive. | |
Ease of Navigation |
Excellent | Excellent | Basic | ||
Deployment |
|||||
New website (DNS) |
Excellent | Excellent | Basic | ||
New network (BGP) |
Full Service | Unknown | Excellent | ||
Security |
|||||
Block IP |
Excellent | Excellent | Excellent | ||
Block URL |
Excellent | Full Service | Good | Oddly, blocking a URL in CloudFlare can be done only with a request to its support. | |
Web challenge |
Excellent | Excellent | Basic | ||
Signatures (vendor)
|
Blackbox | Excellent | Basic | CloudFlare is the only one to provide visibility and control of its own signatures. | |
Signatures (customer) |
Excellent | Full Service | Good | Incapsula user signatures ‘IncapRules’ are both powerful and intuitive to use. F5 ‘iRules’ are powerful but less intuitive. CloudFlare signatures are made only by its support. | |
Real-Time Reporting |
|||||
Real traffic |
Excellent | Unknown | Excellent | ||
Blocked traffic |
Excellent | Unknown | Excellent | ||
Response time |
Excellent | Unknown | Unknown | ||
Events |
CloudFlare event methods are partial. | ||||
Web logs |
Excellent | Excellent | Excellent | ||
|
|||||
Call |
|||||
Syslog |
|||||
REST |
|||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.
ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
F5 is the only vendor to provide decent forensics by providing capture files (real-time and per event). | ||||
Detailed alert |
Excellent | Excellent | Excellent | ||
Event capture file |
Good | ||||
RT capture file |
Full | ||||
Score |
77% | 69% | 65% |
With Forensics, F5 has the lead. While all vendors provide informative alerts, F5 allows you to extract the capture of an alert [self-service], and take real-time capture files [full service]. Furthermore, the customer can open a chat on an alert and discuss it with the SOC and peers.
CloudFlare, Incapsula and F5 do not provide official pricing for their Enterprise service, so you’ll have to request a quote.
F5 pricing model is a fully Customer Oriented Pricing Model. The factors that determine the price are (a) clean traffic rate, (b) number of web sites and data centers and (c) on-demand versus always-on plan. Always-on customers do not pay extra for inclusive managed service, nor need to worry about attack data volumes.
Incapsula has a similar pricing model. The only difference is that it also differentiates prices based on traffic volume. This is a disadvantage as it puts customer in a difficult spot in make an educated decision about something that cannot be really estimated (see more under Customer Oriented Pricing Model).
CloudFlare pricing model was unavailable.
SMB Pricing | SMB Pricing is covered in the SMBs – CloudFlare Business vs Incapsula Business section. |
Additional Relevant Chapters:
Additional Relevant Chapters:
Stay up to day with the latest DDoS news
Error: Contact form not found.