Recently, many friends in the selection of protection programs torn to death: high-defense CDN and high-defense servers, seem to be anti-attack, the price difference is so much, in the end how to choose? Don't worry, I'm an old fart today to give you a clear break.
First dump a storm theory: these days, do not know a little deployment strategy of the operation and maintenance, is simply working for the hacker. I've seen too many companies blindly pile hardware, money burned, really DDoS hit over the same crash. Last year to help an e-commerce company to do emergency response, the other side bought a monthly fee of 30,000 high-defense servers, the results of 200G traffic directly through, the boss almost beat my cell phone - in fact, a different way of thinking, with CDN to carry the traffic + source station hidden, the cost can save more than half.
High-defense servers are essentially "tough players".. You can think of it as a heavily loaded tank: all the firepower is rushing to a single IP, if you can defend it, you will win, if you can't defend it, you will be destroyed. The advantage is that the data is completely controlled, suitable for the need to frequently read and write database business. But the Achilles' heel is the risk of single-point breakthrough - once the IP is exposed, the attacker will be able to focus on firepower output. I tested a brand of high-defense servers, nominal 800G protection, the actual 300G UDP flooding led to TCP handshake queue overflow.
High-defense CDNs play 'roundabout tactics'. By spreading the traffic through the global nodes, the attackers can't touch your real server at all. It's like letting the enemy face countless moving targets, hitting one and hundreds of spare. Service providers like CDN5 can even do TB level cleaning, relying on the number of nodes piled up out of the redundancy capacity. However, the disadvantage is that the dynamic request processing efficiency is low, database interaction is easy to have delayed business.
Let's take a look at a real scenario: a financial platform has tried the package of high defense server and CDN07 at the same time. When encountering CC attacks, the CPU of the high-defense server soared to 100%, causing the business to jam, while CDN07 directly filtered out 90% junk requests through human-machine authentication and rate limiting. However, they later found that the latency increased by 80ms when the user login interface used CDN - this is a common problem of dynamic resource processing.
How to choose? Remember this principle: choose a CDN if you have a lot of static content, and choose a server if you need arithmetic.
If your business is the official website, blogs, e-commerce commodity pages such as static resources-based, closed-eye selection of high-defense CDN. 08Host's BGP line + page cache optimization, once helped my customers to the picture loading time from 3 seconds to 400 milliseconds, encountered an attack on the automatic switching of the backup node, the user simply do not perceive. The price is also particularly outrageous - a few hundred dollars a month can carry the daily attacks, than to keep a high defense server affordable.
However, if you need real-time computation like ERP system or database application, you still have to rely on high defense servers. After all, the return delay of CDN may be more than 200ms in intercontinental, and the user operation will obviously feel "lagging". Once a customer had to set CDN for OA system, as a result, employees often timeout when submitting forms, and revert back to the high defense server to solve the problem.
The advanced play is "hybrid deployment". The CDN is used to carry static traffic, and the core data is still placed on high defense servers. Share a configuration example:
Cost control is the essence. Light business with CDN5 volume billing package, less than 5 attacks per month, the cost may be less than 1/10 of the server, but if you encounter a sustained attack, some CDN vendors "excess traffic costs" can scare out of the heart - once a customer was brushed with 2TB of traffic, the bill directly five-digit. So the high traffic business must choose CDN07 this kind of service with "traffic capping", more than the threshold automatic meltdown.
Lastly, I would like to say: some manufacturers claim that the protection value is too much water. Clearly written 300G protection, the actual pressure test to 200G began to lose packets. Really want to see the effect also have to look at the cleaning precision - like 08Host intelligent rules engine, even slow attacks can be recognized, while some cheap servers are still using iptables hard defense, CC attacks a hit a quasi.
To summarize, don't believe in "one-trick pony" solutions. In the cases I have handled, 70% customers are more suitable for high defense CDN, 20% need high defense servers, and the remaining 10% have to play with hybrid architecture. The essence of saving money is to "use good steel on the knife edge" - static resources with CDN to disperse the pressure, the core data with the server to protect the performance, in the middle of the intelligent scheduling string. The next time you encounter sales bragging about universal protection, directly take this article paste his face.
