Recently, several brothers who do social apps came to me and said that their API interface is brushed every day, and the image loading is so slow that the user curses directly. These days, it's not easy to engage in social products, competitors maliciously crawling data, blackmail gangs brushing interfaces, the server is not moving on downtime, the user experience hit rock bottom. I took a look at their architecture, good guy, naked API server directly exposed to the public network, not even a decent protection, this is not waiting to be hammered?
To be honest, the attacks faced by social applications are far more complex than imagined. the API interface is vulnerable to CC attacks, malicious registration, SMS bombing, content crawling, and static resources such as images and videos are facing the risk of chain theft, slow attacks, and bandwidth depletion. Simply rely on the server hard resistance is simply unrealistic - plus the cost of the machine on the sky, not plus the machine experience crash. I've seen too many teams stepping on the technical selection of the pit, bought a high defense IP but found that the picture loading speed is touching, with an ordinary CDN and can not prevent the API layer of precision attacks.
A truly effective program must be layered governance: API protection should be hard enough to identify normal users and malicious traffic; resource loading should be fast enough to ensure global access experience. This needs to be combined with the distributed cleaning capabilities and intelligent scheduling strategy of high defense CDN, rather than simply buy a large bandwidth to finish the job. Below I combined with the actual test experience, talk about how to land.
Let's start with the core logic of API protection. Don't believe those “one-click protection” propaganda, API attacks have long evolved to simulate the behavior of real people. I have found that it is very easy to rely solely on IP frequency restriction, especially for campus and enterprise networks that share NAT outlets. The key is to build a picture from multiple dimensions: request timing characteristics, device fingerprints, integrity of the API call chain, and even the reasonableness of the business logic.
For example, login interface protection, in addition to the regular IP speed limit, you must also add a secondary verification of human verification. When the same IP initiates multiple login requests within a short period of time, the slider verification is triggered first; if it continues to be abnormal, the SMS verification code is requested. This set of combinations down, 90% crash attack can be knocked out. The following is the dynamic flow-limiting configuration we implemented in the Nginx layer:
But the Nginx level can only do basic protection, more detailed rules have to rely on the WAF. the mainstream high defense CDN on the market to provide custom rules function, I compared CDN5 and CDN07 two, the strategy flexibility gap is very large. CDN5's rules engine supports Lua script extension, can docking real-time data of the wind control, such as this configuration:
The rule configuration of CDN07 is quite weak, although the interface is fancy, but the bottom layer still relies on the traditional WAF rule set, which is basically ineffective in attacking the business logic. 08Host's recent new edge function is a bright spot, which can directly run JavaScript logic in the CDN node to realize the business risk control, such as “if the same user pays attention to more than 100 people within 5 minutes, it automatically triggers the verification”. The same user follows more than 100 people in five minutes, then automatically triggers the verification of this type of business risk control.
Image resource protection is another story. The image loading speed of social APP directly affects the retention rate, but it is easy to be dragged down by chain stealing and DDoS attacks under heavy traffic. My suggestion is to completely separate dynamic and static traffic: APIs go on high defense lines, and pictures and videos go on accelerated lines. Many people try to save trouble by accelerating the whole site, and as a result, API requests are cached, resulting in data misalignment.
The best solution is to use different domain names to split the business: api.yourapp.com points to a high-defense CDN, img.yourapp.com points to a purely accelerated CDN. This way, the attack traffic will not crowd the image bandwidth, and can optimize the configuration for different scenarios. Remember to turn on anti-theft chain and token authentication for your domain name, so that you don't let others easily take your image bed as a free lunch:
The caching strategy also has to be carefully designed. The caching time for small files such as avatars and emoticons can be set longer (more than 30 days), and feed stream images are recommended to be cached according to the heat level hierarchy: hot content is cached to the edge node, and cold content is fetched back to the source. I have tested the smart cache preheat function on CDN5, pushing the content that is expected to explode to the edge node in advance, and the image loading delay dropped by 40% during the evening peak hours.
The mobile network environment is complex, but also have to consider the protocol optimization. HTTP/3 protocol in the weak network environment performance is significantly better than HTTP/2, especially in the high packet loss rate of 4G network. However, at this stage the full amount of open QUIC cost is high, it is recommended that the first picture domain name to open HTTP/3 pilot, API domain name to maintain the TCP protocol to ensure reliability. 08Host HTTP/3 implementation is more stable, and supports 0-RTT connection recovery, mobile frequent network switching scenarios are very friendly.
You can't skip the monitoring and alerting part. I was once called up in the middle of the night to deal with an attack because I didn't set up a bandwidth surge alarm. Now I will configure three layers of alerts in the CDN background: send a reminder when the bandwidth exceeds 80%, automatically trigger elastic expansion when the QPS is abnormal, and directly call when the 5xx error rate exceeds 1%. A truly reliable CDN service provider should provide real-time attack reports, for example, CDN07's attack analysis function does a good job of clearly displaying the type of attack, source region and TOP attack IP.
Finally, a word about cost control. High-defense CDN prices have a lot of water, do not buy directly according to the official website offer. Large quantities can go to the contract price, usually cut to the price of 5-7% discount. If the traffic is small, it is more cost-effective to use volume-based billing, but pay attention to the bill explosion caused by sudden traffic. There is a tricky way: the API traffic to the high defense package, pictures and videos to go cheap traffic package (such as 08Host's idle time traffic package), the overall cost can be reduced to 60% or more.
The technical program is perfect, no supporting process is useless. It is recommended to establish a regular penetration testing system, at least once a month to do a comprehensive vulnerability scanning. New features must be online before the security review, focusing on checking the interface power and authority control. Strict isolation of the online environment, prohibit the test database configuration to the production environment - I've seen this kind of low-level error no less than ten times.
In the end, the essence of protection is to find a balance between experience and security. Seal too hard to kill real users, put too loose and be blackmailed to exploit the loopholes. The best way is to establish a multi-layer defense: edge nodes to do coarse-grained filtering, the central cluster to do fine wind control, and then combined with the client data reported to form a closed loop. Don't expect a single-point solution, security is a continuous process of confrontation.
After many battle verification, I now use a combination of programs: API protection with CDN5 + self-research wind control gateway, picture acceleration with 08Host intelligent scheduling network, important data and then set a layer of private encrypted transmission. This set of architecture to carry the daily activity of ten million social application pressure, API attack interception rate of 98% or more, picture loading P90 time control within 800ms. The key is cost-controllable, not because the protection needs to make the architecture too complex.
Talking on paper is shallow, really want to prevent attacks must continue to iterate. It is recommended to do a quarterly attack and defense drills, simulating real attack scenarios to test the protection system. Encounter new attack techniques and timely update the rules, do not wait for problems before remedying. Remember: there is no absolute security system, only the continuous evolution of the defense strategy.
