At 3:00 a.m. that morning, an emergency call from the operations and maintenance team woke me up. A local government service platform was suddenly paralyzed, the page opened all CAPTCHA challenges, the people simply can not do business. The peak attack traffic rushed to 300Gbps, the traditional firewall like paper mache. After this incident, I completely understand: the CDN of the government service system is not an acceleration tool, but a life and death defense.
A government website and an ordinary business website are two completely different concepts. What you are facing may be an offshore APT organization staring at the data, or it may be a script kiddie practicing. But the worst thing is - wait for the insurance compliance is clearly written: but all systems involving private data of citizens, must have anti-DDoS capabilities, Web application protection, full-link encryption. Missing one? Acceptance directly give you a red card.
I've seen too many organizations being fooled by unscrupulous vendors. Buy an ordinary commercial CDN dare to government system set, the result is to wait for the security assessment found that even the attack logs can not be extracted. The auditor's sentence "protection ability can not be verified" directly let you half a year of work for nothing. What's even more pitiful is that some CDN vendors' nodes themselves are not compliant, and the data circle around the outside world, and the third level of equal protection directly changes to the zero level.
The real government high defense CDN can fight, have to solve three things at the same time: the first is to carry a huge number of attacks, the second is the integrity of the chain of evidence of compliance, and the third is the failure of self-healing in extreme cases. Don't look at so many CDN brands on the market, can do all these three with fingers to count over.
Let's start with the anti-D capability. The most common CC attacks and TCP flooding on government websites, relying solely on traffic cleaning is simply not enough. I found that many vendors boasted of T-level protection there is serious moisture - they only count the server room exit bandwidth, but the single node capacity may be less than 50G. real government-level program to be used like CDN5 multi-level cleaning: the edge nodes first anti-80% small-scale attacks, large-scale traffic before scheduling to the center of the high-defense. Last year, when a city social security bureau was hit, the attack traffic instantly rushed to 470G, is to rely on this layered design hard to eat down.
Web application protection is the real pain point. There are so many old middleware in the governmental system, and Struts2 vulnerability is becoming a traditional art. A good WAF rule base must contain governmental features, such as the protection against violent breakage for the social security query interface and the SQL injection feature base for the administrative approval system. Some vendors directly use generic rules to fool around, and as a result, normal declaration requests are blocked - people uploading a photo ID card actually triggered a "file upload vulnerability" alert, which does not stop the business?
Equalization compliance is the biggest pitfall. Evaluation organizations want to see your security logs, attack interception statistics, and emergency response records for at least six months. The background of many CDN vendors simply can't derive a report format that meets the requirements of equal protection. What's even more outrageous is that some nodes, in order to "optimize speed", even put the HTTPS certificate decryption on the offshore server processing. If this is found out that the data transmission is out of the country, the whole project will be rejected directly.
Stability is something I can spit out for three days and three nights. A well-known vendor last year to engage in "node optimization", secretly adjusting the routing strategy in the middle of the night, resulting in a collective lag in the seven provinces of the government mini-programs. Government traffic is the most taboo is unexpected scheduling - you never know when a leader to meet to demonstrate the system. I now choose to look at the fault isolation design, like CDN07's "cellular disaster recovery" is good: a physical node is down, the traffic is not the whole network rescheduling, but the control of the switch in the same city within the dual-activity unit, the business is simply senseless.
There are more potholes at the configuration level. Many teams think that turning on the WAF is all right, in fact, the default rules can not even do basic protection. The government system must be customized rules, such as limiting the same IP in 10 seconds can only request 1 ID verification interface:
Don't forget about certificate management. The government system must use the state secret algorithm certificate, but many CDN vendors do not support SM2/SM3. last year, a city had an accident - the use of the U.S. vendors CDN, SSL certificate was suddenly revoked, resulting in the city's health insurance system paralyzed for two hours. Now I look at the vendor to ask three things first: state secret support? Can the certificate be managed independently? Does the key support hardware encryption machine hosting?
When it comes to brand selection, the market to really meet the needs of the government in fact, three categories: one is like CDN5 such as the national team, compliance is unbeatable, but the price is painful; CDN07 such technology, intelligent scheduling is really great, but the need for in-depth customization; 08Host such cost-effective warriors, the basic functions of the solid, but high-level features have to add money. Don't believe in the "full-featured package" nonsense - I've seen the most pitiful contract "real-time log query" counted as value-added services, another 200,000 a year.
Finally, a lesson in tears: always keep the source station emergency channel. After a unit cut all the traffic to the CDN, the vendor suddenly upgraded the system resulting in DNS resolution failure. Their operation and maintenance of the source station IP to hide too deep, their own people can not find a backup access program. In the end, we could only watch the system go down for 6 hours. Now my team mandatory requirements: any CDN program must be configured with a backup CNAME, and once a month for the source station directly connected to the exercise.
The traffic characteristics of the government system are also very special. 9-11 a.m. is the peak of social security and health insurance access, 2-4 p.m. centralized administrative approval, and the end of the month, a variety of filing systems are full. A good CDN should be able to predict these peaks and do elastic expansion. Some vendors of "unlimited capacity expansion" is actually a gimmick - really to the traffic surge when you tell you to "trigger the principle of fair use" directly limit the flow. So the contract must be written "guarantee bandwidth peak" and "expansion response time".
Monitoring indicators should be more serious. Ordinary website to see a bandwidth utilization is enough, the government system has to monitor the business level: how many times per second ID verification interface success, the average response time of the official document system, online declaration page bounce rate. Once tested a vendor console, claiming real-time monitoring, but in fact there is a 3-minute delay - this delay in the event of an attack enough to let the system crash eight times.
In fact, the core is still the division of responsibility. The government system on the cloud ≠ responsibility on the cloud. There was a time when some vendors dumped the pot and said, "We only guarantee the security of the network layer, and the application layer attacks are not considered as a service scope". Now, before signing the contract, I let the legal department add this sentence: "All the incoming traffic through the CDN node, regardless of which layer of the OSI attack occurs, all belong to the scope of protection. Don't think it's a big deal, when something really happens this is a life-saving clause.
Said so much, in fact, the selection to grasp three principles: first, look at the equal warranty evaluation report has been a successful case; the second to do the real traffic pressure test (do not believe that the vendor to provide a test environment); the third check the contract disclaimer there is no buried mine. By the way, I'd like to share a tip - log on to the vendor's console after 10:00 p.m. If the node monitoring graph appears to be a large number of breakpoints, it means that they are secretly doing maintenance, and this absolutely can not be used in the new service system.
There is never a silver bullet in technology. Recently, we have been helping a ministry to upgrade its architecture and found that even with a top-level high-defense CDN, it still needs to be paired with a self-built edge node to form a hybrid cloud architecture. Especially sensitive data exchange links, we use CDN07 to accelerate static content + self-built encrypted channel to transmit business data program, both to meet the requirements of equal protection and to ensure user experience. Some money cannot be saved, and some architectures must be redundant - this is the iron law of government system operation and maintenance.
Now every time you see the bottom of the government website fluttering "national team certification" logo, you know that behind is at least three layers of high-defense architecture in support. The people will not care about what you use black technology, but the page lags for a second to complain about the phone call to the mayor's hotline. To be honest: choose the right CDN is not a technical problem, is a matter of political awareness - after all, who do not want to fall off the chain because of the supplier, tomorrow with a rectification report to go to the leadership office to drink tea, right?
