I remember last summer, I have an old customer's e-commerce site suddenly paralyzed, not the kind of slow lag, is completely dead - the user can not enter, the order all hung, even the background can not log on. At first thought the server failure, the results of a check log, good guy, the traffic instantly soared to 200Gbps, typical DDoS flood attack. Customers are anxious to jump to their feet, every hour loss of tens of thousands of dollars, these days, site security is not a joke, a little inattention will be beaten back to the primitive era.
The thing about DDoS attacks, to put it bluntly, is that hackers flood your server with tons of spam requests to keep it busy with normal user demands. Common types of UDP flood, ICMP flood, there are more insidious HTTP slow attack, specializing in resource consumption. I found that many companies still rely on traditional firewall hard to carry, but that thing at best to prevent small fights, really encountered a large-scale attack, like an umbrella to block the tsunami - purely for show. Why? Because the firewall itself on the front end of the server, the attack traffic directly overwhelmed it, even the entire network paralyzed.
The root of the problem lies in the fact that a single point of protection simply can not carry distributed attacks. Hackers are now using botnets, moving to mobilize hundreds of thousands of devices at the same time, the traffic easily broke a hundred G. You do not believe that those who bragged that “their own servers can withstand 1T attack” vendors, I have dismantled their programs, most of them are false labeling - the real situation is that the attack came up, the CPU burst first, the bandwidth was full, and finally even the backup line blocked! The real situation is that when the attack comes up, the CPU will explode first, the bandwidth will be occupied, and finally even the backup line will be blocked. This is not alarmist, last year the average size of global DDoS attacks rose 30%, the largest single attack more than 2Tbps, scary not?
So, high defense CDN has become a life saver. It is not simply a shield in front of the server, but the traffic dispersed to the global nodes, the nearest cleaning malicious requests. The principle is quite clever: Anycast technology to route user requests to the nearest CDN node, if an attack is detected, the traffic will be redirected to a special cleaning center, where there are algorithms to analyze the packet structure in real time, throw away the garbage traffic, and only release legitimate requests. I help customers migrate to the high-defense CDN, measured resistance to 350Gbps mixed attacks, site latency instead of down 20ms - this effect, than to change ten servers are real.
How does it work? Take HTTP flood for example, high security CDN will use behavior analysis engine to keep an eye on the frequency of requests. For example, a normal user sends a few requests a second, but the zombie machine may be wildly sent hundreds. Cleaning center once found anomalies, immediately triggered the challenge mechanism, such as pop-up CAPTCHA or JS challenge, forcing the real machine to show its original form. Configuration, you have to set the rules on the CDN service provider side. When I use CDN5, their console has ready-made templates to turn on basic protection with one click. But to customize it, you have to write some rules. Like this one:
Don't look at the code is simple, in practice it can block 80% automated attacks. Of course, the ability of different vendors is far worse. I compared CDN5, CDN07 and 08Host three: CDN5 strong in low latency, more nodes in Asia, cleaning latency control in 50ms; CDN07 throughput bull, claiming to be able to resist 800Gbps, but the price of death is expensive, suitable for financial large enterprises; 08Host cost-effective route, a month of a few hundred dollars can carry 200G, but fewer nodes, Europe and the United States user The price is very expensive, but it is suitable for financial enterprises. Don't believe those “unlimited protection” ads, I have tested - traffic a super, directly to your downgrade, and then cry too late.
Speaking of configuration, high defense CDN must also be used in conjunction with the Web Application Firewall (WAF). Just prevent traffic is not enough, some attacks specifically hit the application layer, such as SQL injection or XSS. I buried in the customer station monitoring script, found that after cleaning there are still 10% cunning request leakage - these will have to rely on the WAF rules to make up for the knife. As an example, set up rate limiting and geo-blocking:
With this combination, not to mention hundreds of gigabytes of traffic, even complex CC attacks can be held down. But there is one thing to complain: some vendors put the cleaning center too far, such as the United States nodes to deal with Asian traffic, latency soared to 200ms - it is better not to prevent it! So when choosing a CDN, be sure to look at the distribution of nodes, such as my preference for CDN5, because they have pop points in Tokyo and Hong Kong, latency can be held down.
The data speak the most real. I handled the case last year, with high defense CDN site average attack mitigation rate of more than 99%, while the self-built protection of only 60%. Especially CDN07, in a test to carry 720Gbps SYN flood, the server CPU did not shake a little. But the price is the cost: the monthly fee for such services ranges from a few thousand to tens of thousands, 08Host is cheap, but sudden traffic may limit the speed. So ah, don't be greedy for cheap, according to the scale of business selection - small stations with 08Host transition, large factories directly on the CDN07.
In short (oh no, customary to summarize), high defense CDN is not a panacea, but it is really the current anti-DDoS optimal solution. Core advantages of the two: distributed decentralized pressure and professional cleaning technology. You want to ask me how strong the protection ability? I can say that the top program can resist T-level attacks, but the key is still daily configuration and monitoring. Remember to regularly update the rules, test pressure exercises, otherwise even the best CDN will become a setup. This industry is very deep water, vendors brag a lot, really want to save money to find reliable technology partners - or read more of my old oil write dry goods, less detour.
