Barracuda Networks has added a new DDoS protection service to its Web Application Firewall (WAF). The new feature, called Active DDoS Prevention (ADP), is designed to filter out volumetric attacks against Web application targets.
Rather than try to separate legitimate packets from DDoS traffic on the device itself, customers change the DNS record on the firewall to point to cloud-based filters operated by Barracuda. That means a customer’s traffic will pass through a Barracuda PoP before being sent to the WAF.
Barracuda says it has PoPs across North America, so organizations can point their traffic toward the nearest geographical location to reduce the latency. The service will not apply any filters to traffic until an attack is detected.
For customers worried about the privacy implications of directing all their Web traffic through a Barracuda service, the company notes the cloud service does not terminate SSL/TLS sessions, so no traffic gets decrypted.
When an attack is detected, the cloud service employs mitigation techniques developed by Barracuda.
“Rather than just blocking clients and dropping packets, we try challenges based on the attack and protocol,” said Nitzan Miron, VP of Product Management, Application Security Services at Barracuda.
“If you’re a real human user, your traffic will pass the challenge. If you’re a bot, you’ll have a hard time passing that challenge.”
Web-Only DDoS Protection (For Now)
Because this DDoS mitigation service is tied to the Web application firewall, it will only protect Web applications. If, for example, a mail server is a DDoS target, the ADP service won’t help.
Miron said the company plans to expand protection over time, but it wanted to get the Web capability to market first.
ADP is available as a subscription, and is priced at 30% of the cost of the Web application firewall. So if you purchase a $5,000 Web app firewall, the ADP service would run you an additional $1,500 per year, per device.
The company does not charge extra based on the volume of an attack.
Barracuda says the service is available now.