Mr. Vandermeer continued, “Also, we wanted a system that’s smart enough to handle the logic that we wanted. We want to be able to throttle incoming traffic based on multiple conditions, such as user IDs for example.”

Many web security solutions offer DDoS protection, but most are based on simple IP tracking. These solutions can be defeated by common hacker tactics such as IP rotation. Mr. Vandermeer noted, “We were looking for a product that was smarter, so we could have more precise targeting and protection. We wanted to block attacks on our API, without a lot of false positives.”

After evaluating several security solutions, Formative chose Reblaze. Mr. Vandermeer said, “Most of the others were eliminated because their DDoS rules engine wasn’t sophisticated enough.

“Reblaze is more intelligent, and it has a powerful rules system. We can specify the conditions to filter requests, and we can define separate rules for different URLs. The key thing for us is that it’s more than just throttling based on IP addresses. That was probably the biggest difference from most of the other products out there, that it can filter traffic based on headers and other things.”

Although Formative’s initial motive was to protect their API against DDoS attacks, Mr. Vandermeer noted that Reblaze has other benefits as well, such as its advanced rate limiting module. “We were having sign-up floods, where one person would create hundreds of accounts. Or we’d have password-guessing attacks [where an attacker would try to take over accounts by brute-forcing a login form]. With Reblaze, we can set up throttling to prevent people from doing these things.”

Another plus is that Reblaze deploys either right in front of the protected environment, or even directly within the customer’s VPC. Mr. Vandermeer said,

“I don’t have to worry about adding latency, because my traffic isn’t going to someone else’s data center and then back to ours. We run Reblaze in the same AWS region and zone as our application.”

This also preserves data privacy, since traffic is not processed on external infrastructure.

Reblaze is a fully managed solution, maintained remotely by Reblaze personnel. Customers can manage their own deployments if they want, but many choose not to do so. Mr. Vandermeer said, “I actually don’t use Reblaze that much. We just set up the rules, and now, whenever we need a change, we don’t necessarily login to Reblaze ourselves. We just send in a support ticket, and the Reblaze team changes it for us.

“The support response times are good, generally within one business day. There are vendors where they’re supposed to have a one-day turnaround, but then things slip through the cracks and it takes several days instead. But Reblaze has always been on top of that.”

The Reblaze SOC also monitors Formative’s traffic for them. “And whenever they notice something suspicious, they reach out to us and tell us ‘we blocked these IP addresses’ or whatever. That’s nice to have.”

“Reblaze has a highly advanced product. They have good support. And it’s been trouble- free and smooth sailing.”