Recently to help customers deal with a DDoS event, the peak attack rushed to 800G, the source station directly paralyzed. The other party's engineer called me in the middle of the night and asked, “Is there a reliable high defense CDN that can immediately connect?” --This is already the third time this year to hear a similar request for help. The market is full of high-defense products, but can really resist thousands of G-level traffic not many, some even playing the “unlimited defense” banner, the actual attack directly into the black hole 48 hours.
I have handled the testing of at least 20 domestic CDNs, and I have stepped on more pits than some vendors' propaganda. Today directly dump dry goods, from the defense effectiveness, acceleration performance, price traps in three dimensions, the five service providers that can really beat the rake to you.
Let's start by puncturing a few common illusions: Don't believe that “T-level defense” this kind of false labeling figures, the real test level is cleaning precision and business coupling. A vendor advertised 600G defense, the actual test of 300G triggered a global black hole, customer service is still talking about “recommended to upgrade to the customized version of the enterprise”. More outrageous is that some CDN “acceleration node” is simply reverse deceleration - the southern user scheduling to the northeastern node, the delay directly soared to 200ms +.
The test found that the core indicators of high defense CDN are three: cleaning delay (to determine the user experience), elastic expansion capacity (to cope with unexpected traffic), and the intelligence of the rule base (to reduce false kills). The following five are tested and verified hardcore players:
The last big truth: there is no CDN that can 100% prevent all the attacks.I have seen the perversion of the attack with a budget of $200 to pry 2000G traffic, this time to rely on architectural redundancy - multi-cloud strategy to spread the business to the 2-3 CDN. real protection effect = product ability × operation and maintenance level, and then good CDN with an operation and maintenance will not see the monitoring is also useless.
If you really want to test, it is recommended that you first open a pay-per-use package to simulate attacks: CC attacks using pycurl to create millions of requests, DDoS using scapy to construct malformed packets, test node scheduling strategies and cleaning accuracy. Don't forget to check certificate compatibility and API interface stability - these are the issues that will kill you in the real world.
Now you know why some vendors dare to sell $1/G defense. Either oversold resource pools, or black hole strategy is radical. Remember: the essence of high-defense CDN is the cost transfer, vendors real money to buy bandwidth to build cleaning center, the price is too low only two possibilities: either technological breakthroughs, or cut corners. Guess which is more?
