Technical Evaluation

The technical evaluation of vendors is split into three categories:

Deployment options, mitigation capabilities, and user experience UX. The following table provides a top-level summary of all three categories; a detailed analysis can be found in each of the following sections.

DDoS-Intro-Image

The technical evaluation of vendors is split into three categories:

Deployment options, mitigation capabilities, and user experience UX. The following table provides a top-level summary of all three categories; a detailed analysis can be found in each of the following sections.

DDoS-Intro-Image

         

Deployment & Service Options

       

Cloud Protection

No posts could be found that matched the specified criteria.

       

On-premises Protection

On-premises DDoS protection is a term used in DDoS mitigation architecture to describe technologies positioned at customer premises typically an appliance or a virtual appliance inside the customer data center. On-premises is in contrast to cloud based protection. (read more)

       

Web Protection (DNS diversion)

No posts could be found that matched the specified criteria.

       

Infrastructure Protection (BGP diverstion)

No posts could be found that matched the specified criteria.

       

Fully Managed Service

No posts could be found that matched the specified criteria.

      F5 offers fully managed service.

Non-web protocols Support

No posts could be found that matched the specified criteria.

       

Number of Data Centers

No posts could be found that matched the specified criteria.

30 86 4  

SMB plans

No posts could be found that matched the specified criteria.

      On top of their Enterprise plan, CloudFlare and Incapsula offer lower-end plans for SMBs. see SMB Section

Overall Deployment Score

72% 69% 65%  

Mitigation Completeness

      CloudFlare mitigation is solid, but Incapsula and F5 are much more mature.

Reverse Proxy & Caching

No posts could be found that matched the specified criteria.

       

Web Challenges

No posts could be found that matched the specified criteria.

       

Signatures

No posts could be found that matched the specified criteria.

       

Blacklist/Whitelist

No posts could be found that matched the specified criteria.

       

Rate limit

No posts could be found that matched the specified criteria.

       

DNS Protection

No posts could be found that matched the specified criteria.

       

Overall Mitigation Score

96% 73% 100%  

UX and Reporting

      Incapsula User Experience (UX) is excellent, CloudFlare is also very good, F5 is basic.

Look and Feel

No posts could be found that matched the specified criteria.

Excellent Good Basic  

Easy of Navigation

Excellent Excellent Good  

Security Configuration

Good Basic Basic  

Security Events

Excellent Good Excellent  

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Basic Basic Excellent F5 has excellent DDoS Forensics.

Overall UX and Reporting Score

77% 69% 65%  
         

Deployment & Service Options

       

Cloud Protection

No posts could be found that matched the specified criteria.

       

On-premises Protection

On-premises DDoS protection is a term used in DDoS mitigation architecture to describe technologies positioned at customer premises typically an appliance or a virtual appliance inside the customer data center. On-premises is in contrast to cloud based protection. (read more)

       

Web Protection (DNS diversion)

No posts could be found that matched the specified criteria.

       

Infrastructure Protection (BGP diverstion)

No posts could be found that matched the specified criteria.

       

Fully Managed Service

No posts could be found that matched the specified criteria.

      F5 offers fully managed service.

Non-web protocols Support

No posts could be found that matched the specified criteria.

       

Number of Data Centers

No posts could be found that matched the specified criteria.

30 86 4  

SMB plans

No posts could be found that matched the specified criteria.

      On top of their Enterprise plan, CloudFlare and Incapsula offer lower-end plans for SMBs. see SMB Section

Overall Deployment Score

72% 69% 65%  

Mitigation Completeness

      CloudFlare mitigation is solid, but Incapsula and F5 are much more mature.

Reverse Proxy & Caching

No posts could be found that matched the specified criteria.

       

Web Challenges

No posts could be found that matched the specified criteria.

       

Signatures

No posts could be found that matched the specified criteria.

       

Blacklist/Whitelist

No posts could be found that matched the specified criteria.

       

Rate limit

No posts could be found that matched the specified criteria.

       

DNS Protection

No posts could be found that matched the specified criteria.

       

Overall Mitigation Score

96% 73% 100%  

UX and Reporting

      Incapsula User Experience (UX) is excellent, CloudFlare is also very good, F5 is basic.

Look and Feel

No posts could be found that matched the specified criteria.

Excellent Good Basic  

Easy of Navigation

Excellent Excellent Good  

Security Configuration

Good Basic Basic  

Security Events

Excellent Good Excellent  

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Basic Basic Excellent F5 has excellent DDoS Forensics.

Overall UX and Reporting Score

77% 69% 65%  

Technical Evaluation Analysis Summary

A Word on Pricing

Pricing is obviously a major factor in selecting a vendor.  Where possible we added the pricing of the portrayed services including pricing of SMBs plans and naked pricing factors for F5 and Incapsula. Unfortunately, vendor do not will to share their Enterprise prices and you will need to toil and get a quote from each one.

Deployment & Service Options

This section compares the cloud-based and appliance-based deployment options provided by vendors. This section, more than any other, contains items that are “deal breakers” for the customer and can scope out a vendor.

Cloud Deployment

Diversion Methods

When using a cloud-based protection service, the first question you should ask is how will your traffic traverse your provider data centers (or scrubbing centers, in DDoS jargon)? The first method is DNS diversion, also referred to as web protection. Another method is BGP diversion, also called infrastructure protection. F5 and Incapsula fully support these diversion methods. CloudFlare also claims to support it, but we did not have sufficient data to validate its extent.

There is another more specific diversion method for non-web protocols that only Incapsula and F5 support.

Service Features

Service level options are critical evaluation criteria for many organizations. When under attack (‘War Time’), all vendors will assume full responsibility and provide emergency response. In ‘Peace Time,’ CloudFlare and Incapsula mostly rely on self-service, whereas F5 provides fully managed service.

 

         

Diversion Method: DNS

No posts could be found that matched the specified criteria.

       

Always-on

No posts could be found that matched the specified criteria.

       

On-demand

No posts could be found that matched the specified criteria.

       

Non-web protocols

No posts could be found that matched the specified criteria.

(IP Protection)     Both vendors support non- web protocols.

Diversion Method: BGP

No posts could be found that matched the specified criteria.

       

Always-on

No posts could be found that matched the specified criteria.

       

On-demand

No posts could be found that matched the specified criteria.

       

Service Features

       

SSL support – HSM

No posts could be found that matched the specified criteria.

       

Emergency Response

No posts could be found that matched the specified criteria.

       

Fully managed service

No posts could be found that matched the specified criteria.

      F5 offers fully managed service.

Number of Data Centers

No posts could be found that matched the specified criteria.

30 see locations 86 see locations 4

see locations

No posts could be found that matched the specified criteria.

If you have acceleration needs, F5 is likely to be ruled out.

Entry Level

       

SMB plans

No posts could be found that matched the specified criteria.

      F5 and Incapsula offer a plan for SMBs
         

Diversion Method: DNS

No posts could be found that matched the specified criteria.

       

Always-on

No posts could be found that matched the specified criteria.

       

On-demand

No posts could be found that matched the specified criteria.

       

Non-web protocols

No posts could be found that matched the specified criteria.

(IP Protection)     Both vendors support non- web protocols.

Diversion Method: BGP

No posts could be found that matched the specified criteria.

       

Always-on

No posts could be found that matched the specified criteria.

       

On-demand

No posts could be found that matched the specified criteria.

       

Service Features

       

SSL support – HSM

No posts could be found that matched the specified criteria.

       

Emergency Response

No posts could be found that matched the specified criteria.

       

Fully managed service

No posts could be found that matched the specified criteria.

      F5 offers fully managed service.

Number of Data Centers

No posts could be found that matched the specified criteria.

30 see locations 86 see locations 4

see locations

No posts could be found that matched the specified criteria.

If you have acceleration needs, F5 is likely to be ruled out.

Entry Level

       

SMB plans

No posts could be found that matched the specified criteria.

      F5 and Incapsula offer a plan for SMBs

All-in-All Comparison – Cloud Deployment

The number of data centers can be essential. If you want the service to give you acceleration, only CloudFlare and Incapsula offer a CDN with 86 and 30 POPs, respectively. Even if improving acceleration is not a goal, it is still an advantage because it ensures that you will not suffer any performance degradation. It can also be important for regulatory compliance, for example, in cases in which you cannot use a POP outside your own country.

 

Entry Level

Budget is always a critical factor. If you cannot spend more than 5,000 USD annually on DDoS mitigation, only the CloudFlare Business and Incapsula Business plans targeting SMBs are suitable. (See more under the SMBs section.)

Appliance Deployment

Another way to implement DDoS mitigation is to use appliances: physical or virtual, DDoS dedicated or as a feature inside WAF or IPS. The report does not cover appliances, but it is important to know which vendor has them in case you go for a hybrid approach. F5 offers ASM (Application Security Module), while Imperva Incapsula offers Imperva SecureSphere. Both are WAF (Web Application Firewall) with DDoS capabilities.

         

Dedicated DDoS Appliance

No posts could be found that matched the specified criteria.

     

Physical Appliance

     

Virtual Appliance

     

WAF Appliance with DDoS

No posts could be found that matched the specified criteria.

    Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere.

Physical Appliance

     

Virtual Appliance

     
         

Dedicated DDoS Appliance

No posts could be found that matched the specified criteria.

     

Physical Appliance

     

Virtual Appliance

     

WAF Appliance with DDoS

No posts could be found that matched the specified criteria.

    Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere.

Physical Appliance

     

Virtual Appliance

     
         

Dedicated DDoS Appliance

No posts could be found that matched the specified criteria.

     

Physical Appliance

     

Virtual Appliance

     

WAF Appliance with DDoS

No posts could be found that matched the specified criteria.

    Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere.

Physical Appliance

     

Virtual Appliance

     

Technical Evaluation – Appliance Deployment

Mitigation

DDoS mitigation capabilities are the core of your decision. All vendors can block the majority of DDoS attacks. Nevertheless, there are some differences that are covered below. CloudFlare has significant security gaps because it lacks Rate Limit and its web challenges type is partial.

DDoS mitigation capabilities are the core of your decision. All vendors can block the majority of DDoS attacks. Nevertheless, there are some differences that are covered below. CloudFlare has significant security gaps because it lacks Rate Limit and its web challenges type is partial.

Proxy/Caching

All vendors offer web proxy with caching capabilities. This extremely basic technology is the most effective, and will block many attacks.

However, attackers are persistent today, and can find ways to pass this mitigation, foremost by attacking dynamic pages, leading us to the next most significant mitigation – web challenges.

Web Challenges

Ideally, we want the vendor to address the entire spectrum of challenges. F5 fulfills this demand completely! Incapsula is almost there, with one challenge (NoCAPTCHA ReCAPTCHA) missing. CloudFlare, on the other hand, has more gaps. It does not have the Cookie Validation, which in most cases is all you need to stop an attack with minimal impact on legitimate traffic.

         

Proxy / Caching

       

Reverse Proxy

No posts could be found that matched the specified criteria.

       

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

       

Web Challenges

No posts could be found that matched the specified criteria.

      CloudFlare Web Challenges coverage is partial.

Cookie Validation

No posts could be found that matched the specified criteria.

       

JavaScript Challenge

No posts could be found that matched the specified criteria.

       

Silent Bot Detection

No posts could be found that matched the specified criteria.

       

Modern CAPTCHA

No posts could be found that matched the specified criteria.

       

CAPTCHA

No posts could be found that matched the specified criteria.

       

Signatures

No posts could be found that matched the specified criteria.

       

Vendor

No posts could be found that matched the specified criteria.

       

Customer

No posts could be found that matched the specified criteria.

       

Blacklist/Whitelist

No posts could be found that matched the specified criteria.

       

BL IP

       

BL URL

       

BL Geo-Protection

       

Whitelist

       

Rate limit

No posts could be found that matched the specified criteria.

      CloudFlare has a security gap in Rate Limit.

IP

       

URL

       

Geo-Protection

       

DNS

       

DNS Protection

No posts could be found that matched the specified criteria.

       

SCORE

96% 73% 100% CloudFlare mitigation is good, but F5 and Incapsula mitigation stack is excellent. This allows them to block attacks more accurately.
         

Proxy / Caching

       

Reverse Proxy

No posts could be found that matched the specified criteria.

       

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

       

Web Challenges

No posts could be found that matched the specified criteria.

      CloudFlare Web Challenges coverage is partial.

Cookie Validation

No posts could be found that matched the specified criteria.

       

JavaScript Challenge

No posts could be found that matched the specified criteria.

       

Silent Bot Detection

No posts could be found that matched the specified criteria.

       

Modern CAPTCHA

No posts could be found that matched the specified criteria.

       

CAPTCHA

No posts could be found that matched the specified criteria.

       

Signatures

No posts could be found that matched the specified criteria.

       

Vendor

No posts could be found that matched the specified criteria.

       

Customer

No posts could be found that matched the specified criteria.

       

Blacklist/Whitelist

No posts could be found that matched the specified criteria.

       

BL IP

       

BL URL

       

BL Geo-Protection

       

Whitelist

       

Rate limit

No posts could be found that matched the specified criteria.

      CloudFlare has a security gap in Rate Limit.

IP

       

URL

       

Geo-Protection

       

DNS

       

DNS Protection

No posts could be found that matched the specified criteria.

       

SCORE

96% 73% 100% CloudFlare mitigation is good, but F5 and Incapsula mitigation stack is excellent. This allows them to block attacks more accurately.

All-in-All: Mitigation (application protection)

CloudFlare does not have Silent Human Investigation and, in case of a JS passing bot, you will be forced to escalate to intrusive NoCAPTCHA ReCAPTCHA. Another disturbing point is that the CloudFlare JS challenge is visible to the user. It informs the user that it is being challenged with an advertisement of CloudFlare at the same time. Not cool.

Signatures

All vendors offer both vendor signatures and user signatures. In vendor signatures, CloudFlare has the advantage because it lets you see and even tune them (while Incapsula and F5 signatures perform as a black-box). In user signatures, Incapsula has the upper hand due to the simplicity of signature creation, discussed in the next section.

Rate Limit

CloudFlare does not offer any Rate Limit-based mitigation, which is a significant security gap. Typically, it is not recommended to stop attacks with Rate Limit technologies because it can also “rate limit” legitimate users. However, in some scenarios it is still an important tool. One prominent example is to protect mobile API: Challenges are not efficient, as they often cannot be used with RESTful APIs. In these cases, Rate Limit can be your only savior.

BGP-Based Protection

In addition to Application Protection, also known as Web Protection, all vendors offer Network Protection (BGP-based). All vendors have a black-box approach without any visibility into the technologies being used or the ability to make any configurations.

UX and Reporting

Good User Experience (UX) is more than a nice-to-have feature. It determines how much of the existing functionality you will utilize, how quickly you will understand a security event, and how quickly you can respond while under attack.

All vendors provide a decent UX, but undoubtedly Incapsula has a clear lead over the others. Incapsula offers an excellent user interface, navigation, and look and feel. CloudFlare also has a good look and feel, but it still seems a bit outdated compared to today’s slick SaaS application designs. F5, on the other hand, is still in the appliance age in terms of UI/UX. Apart from the real-time monitoring part, its interface is outdated and resembles the configuration of an appliance rather than an intuitive cloud application. To summarize: both CloudFlare and Incapsula are easy to navigate. F5 is a little behind.

Deploying servers

Deploying a new web server is easy with CloudFlare and Incapsula, and also with F5 Silverline despite its outdated user interface. Deployment of a new network, in contrast, is easiest with Silverline where you self-service wise insert your network, and submit it for their NOC for review and final confirmation. With Incapsula it is a full service only – you can add new network by requesting it from their support.

Configuring security options

Blocking an IP is easy and simple with all vendors. However, when you want to block a URL, CloudFlare requires that you request it from their support, which seems a hassle for such a simple action. Same for creating a signature. Incapsula is leading here with its simple yet expressive IncapsRules. F5 offers its famous iRules, which are the most expressive but more technical. In Customer Signatures CloudFlare has the upper hand as its rules are visible and configurable. With Incapsula you get the rules as black-box.

Real-time Monitoring (RTM)

F5 and Incapsula monitoring is excellent – granular, shows well normal traffic versus attack traffic. With Incapsula it took only 15 seconds for traffic to be displayed, which is very good for distributed cloud service.

         

Look and Feel

No posts could be found that matched the specified criteria.

Excellent Good Basic Incapsula’s look and feel is excellent, making the user experience both enjoyable and productive.

Ease of Navigation

Excellent Excellent Basic  

Deployment

       

New website (DNS)

Excellent Excellent Basic  

New network (BGP)

Full Service Unknown Excellent  

Security

       

Block IP

Excellent Excellent Excellent  

Block URL

Excellent Full Service Good Oddly, blocking a URL in CloudFlare can be done only with a request to its support.

Web challenge

No posts could be found that matched the specified criteria.

Excellent Excellent Basic  

Signatures (vendor)

No posts could be found that matched the specified criteria.

Blackbox Excellent Basic CloudFlare is the only one to provide visibility and control of its own signatures.

Signatures (customer)

No posts could be found that matched the specified criteria.

Excellent Full Service Good Incapsula user signatures ‘IncapRules’ are both powerful and intuitive to use. F5 ‘iRules’ are powerful but less intuitive. CloudFlare signatures are made only by its support.

Real-Time Reporting

       

Real traffic

Excellent Unknown Excellent  

Blocked traffic

Excellent Unknown Excellent  

Response time

Excellent Unknown Unknown  

Events

      CloudFlare event methods are partial.

Web logs

Excellent Excellent Excellent  

Email

       

Call

       

Syslog

       

REST

       

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

      F5 is the only vendor to provide decent forensics by providing capture files (real-time and per event).

Detailed alert

Excellent Excellent Excellent  

Event capture file

    Good  

RT capture file

    Full  

Score

77% 69% 65%  
         

Look and Feel

No posts could be found that matched the specified criteria.

Excellent Good Basic Incapsula’s look and feel is excellent, making the user experience both enjoyable and productive.

Ease of Navigation

Excellent Excellent Basic  

Deployment

       

New website (DNS)

Excellent Excellent Basic  

New network (BGP)

Full Service Unknown Excellent  

Security

       

Block IP

Excellent Excellent Excellent  

Block URL

Excellent Full Service Good Oddly, blocking a URL in CloudFlare can be done only with a request to its support.

Web challenge

No posts could be found that matched the specified criteria.

Excellent Excellent Basic  

Signatures (vendor)

No posts could be found that matched the specified criteria.

Blackbox Excellent Basic CloudFlare is the only one to provide visibility and control of its own signatures.

Signatures (customer)

No posts could be found that matched the specified criteria.

Excellent Full Service Good Incapsula user signatures ‘IncapRules’ are both powerful and intuitive to use. F5 ‘iRules’ are powerful but less intuitive. CloudFlare signatures are made only by its support.

Real-Time Reporting

       

Real traffic

Excellent Unknown Excellent  

Blocked traffic

Excellent Unknown Excellent  

Response time

Excellent Unknown Unknown  

Events

      CloudFlare event methods are partial.

Web logs

Excellent Excellent Excellent  

Email

       

Call

       

Syslog

       

REST

       

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

      F5 is the only vendor to provide decent forensics by providing capture files (real-time and per event).

Detailed alert

Excellent Excellent Excellent  

Event capture file

    Good  

RT capture file

    Full  

Score

77% 69% 65%  

All-in-All: UX and Reporting

Forensic

With Forensics, F5 has the lead. While all vendors provide informative alerts, F5 allows you to extract the capture of an alert [self-service], and take real-time capture files [full service]. Furthermore, the customer can open a chat on an alert and discuss it with the SOC and peers.

Pricing

CloudFlare, Incapsula and F5 do not provide official pricing for their Enterprise service, so you’ll have to request a quote.

F5 pricing model is a fully Customer Oriented Pricing Model. The factors that determine the price are (a) clean traffic rate, (b) number of web sites and data centers and (c) on-demand versus always-on plan. Always-on customers do not pay extra for inclusive managed service, nor need to worry about attack data volumes.

Incapsula has a similar pricing model.  The only difference is that it also differentiates prices based on traffic volume. This is a disadvantage as it puts customer in a difficult spot in make an educated decision about something that cannot be really estimated (see more under Customer Oriented Pricing Model).

CloudFlare pricing model was unavailable.

SMB Pricing SMB Pricing is covered in the SMBs – CloudFlare Business vs Incapsula Business section.

Additional Relevant Chapters:

Additional Relevant Chapters:

     

Newsletter

Stay up to day with the latest DDoS news

Error: Contact form not found.