Real-Time Event Monitoring
Under DDoS: Instant Access to Live Information
Disclaimer: The following is a description of an actual DDoS attack against one of Incapsula’s clients. To demonstrate
Incapsula’s new Real-Time reporting capabilities, this presentation makes use of an actual screenshots and data from that
event. Some facts, like IP and URL addresses, were altered to preserve anonymity.
Maximum Security, Performance & Availability
Through an application-aware Global CDN platform,
Incapsula provides any website and web application with
best-of-breed Security, DDoS Protection, Load Balancing
& Failover solutions.
Incapsula’s Real-Time Event Monitoring feature support
all of these services by providing Accurate Visibility of
Layer 7 Traffic Flow.
The following presentation uses data from an actual
DDoS attack to demonstrate some of the more typical
uses and benefits of Incapsula’s Real-Time Event
It Starts with an Email Alert…
The event starts with an email alert, reporting on a suspicious activity on our client’s site.
Incapsula’s Automated DDoS Protection was activated.
Right now, the site is under attack.
Real-Time: First Evaluation
Incapsula’s Real-Time Monitoring is the next “go-to” spot.
Immediately you can see that Incapsula is blocking 515 malicious HTTP requests per
second, which amount to 86% of all incoming traffic.
You can also see that response times of your servers are slightly higher than usual.
Real-Time: Servers’ Health & Activity
Using one of the available view options, you can now drill down to get a better picture of
server health and load distribution.
Both servers are active and the load distribution is even, which is good.
The next step is to get more information about the DDoS offenders…
Real-Time: DDoS Offenders’ Identity
The Session Report shown here provides you with the information you need.
You notice a suspiciously large chunk of traffic from outside the US.
There is also an abnormally high percentage of “Firefox” visitors. Although they use
browser user-agents, it looks like not all of them support JS or Cookies.
Real-Time: Tracking of Attackers’ Movement
The adjusted More button provides you with additional information about the offenders’
When you use it to review the latest blocked sessions, you notice that they all share the
same Entry Point; “/blog/” - an inactive, auto-generated, URL.
Real-Time: List of Attacking IPs
By filtering the data stream to show only the Blocked traffic, you also get instant views of
the Top 5 attacking IPs.
The full list is accessible as well, with a click on the More button.
Real-Time: Instant Access to Live Actionable Data
Incapsula’s Real-Time Monitoring efficiently provides access to the most recent
information about security events, incoming traffic and servers’ activity.
In this case, literally in a matter of seconds, the website’s operator was able to collect
all of the information he needed to understand and react to the attack, including:
Information about malicious traffic volumes
Information about the attack’s impact on availability
Status report of origin server health
Overview of server load distribution
Updated list of the spoofed user-agents
Latest information about the attacker’s point-of-entry
Updated list of attacking IPs
Real-Time: Enabling Data-Driven Decision Making
Incapsula’s Real-Time view provides accurate visibility into Layer 7 traffic.
Access to this live data enables data-driven decision making, as each piece of
data can be leveraged into tactical action that enriches and supplements Incapsula’s
automated DDoS Protection and Load Balancing solutions.
Explore this new screen to uncover more view options, which will support you through
a diverse array of security and server management scenarios…