CloudLayer8 and Incapsula’s DDoS Infrastructure protection is enabled via GRE tunneling and leveraging border gateway protocol (BGP) routing. Infrastructure protection is an on-demand security service that safeguards critical network infrastructure from volumetric and protocol-based DDoS attacks, such as UDP, SMTP or SYN Floods, executed directly or via DNS/NTP amplification.

Infrastructure protection complements Incapsula’s other CDN-based services to provide web ops with a comprehensive solution that provides complete protection from all DDoS threats.

CloudLayer8 and Incapsula’s Infrastructure Protections offer:

  • Complete DDoS protection for all types of services (UDP/TCP, SMTP, FTP, SSH, VoIP, etc.)
  • GRE tunneling for smooth on-demand onboarding
  • DDoS protection for entire subnets or Individual IP addresses
  • Complete protection against direct-to-IP DDoS attacks

How it works:

Infrastructure Protection for Subnets

Infrastructure protection helps you protect all elements of your critical infrastructure (e.g. web, email, FTP) across entire subnet ranges.

In the event of an attack, traffic is re-routed through Incapsula’s scrubbing centers using BGP announcements. From that point on, Incapsula acts as the “ISP” and advertises all protected IP range announcements. All incoming network traffic is inspected and filtered, and only legitimate traffic is securely forwarded to the enterprise network via GRE tunneling.

Infrastructure Protection

Infrastructure Protection for Individual IP Addresses

Using this unique deployment model, Incapsula brings the benefits of infrastructure protection to customers who do not have an entire Class C subnet. This feature enables smaller organizations to protect multiple service types and protocols, even for a single IP address, without using BGP routing.

Customers receive a “protected IP address” from Incapsula, which inspects and filters all incoming traffic. A redundant, secure, two-way GRE tunnel is used to forward clean traffic to the origin IP and to return outbound traffic from the application to the users.

Individual IP address protection is ideal for gaming servers and SaaS applications, which have high-traffic, critical non-HTTP assets with low IP counts, as well as cloud deployments looking for direct-to-IP attack prevention.

Infrastructure Protection



The Infrastructure Protection service is built on top of Incapsula’s global network of high-powered data centers. Route advertisements are propagated from all data centers to create a “many-to-many” defense for incoming DDoS attacks.

Quick and Easy Implementation

Protection can be enabled on-demand for entire subnets. With the GRE tunnel in place, BGP routing is used to activate and deactivate the service on-the-fly, letting you quickly and easily respond to any type of DDoS attack. Protecting individual IP addresses is fully automated as traffic is persistently routed through Incapsula, ensuring immediate DDoS protection for your network infrastructure.

Unhindered Visibility

Legitimate incoming traffic passing through the Incapsula network is unaltered, ensuring that source IP address visibility remains intact. At the same time, all outgoing traffic is forwarded as normal to the ISP, minimizing the chance for any impact to your regular traffic flow.

Comprehensive Protection

Infrastructure Protection is fully compatible with Incapsula’s web application and DNS protection services. Together these form the most robust DDoS defense offering on the market, able to deal with highly-sophisticated threats and any possible DDoS-related security scenario.