Recently, I helped a friend to deal with a project that was hit by DDoS and I couldn't take care of myself, so I remembered to ask him, “Are you using a CDN that doesn't have high defense?” As a result, this buddy asked me back with a confused look on his face: “Can you choose a protocol for a high defense CDN? Not give a domain name to hang up on the end of the matter?” I almost smashed the keyboard on the spot - these days there are still people who think that CDN is only for acceleration, defense and protocol support are just for show?
Honestly, the protocol support thing really isn't metaphysical. I've seen too many people buy a high defense service, the result is because the protocol is not paired, was pierced after the vendors also scolded the garbage. In fact, the problem is that you do not understand the business scenarios: you push live streaming with RTMP, do real-time communication with WebSocket, ordinary websites with HTTPS, different protocols go port and encryption is completely different. If the CDN vendors only help you to prevent 80/443 ports, other protocols simply do not go through the cleaning node, and what is the difference between running naked?
Take HTTPS first, which is the most basic. But high defense CDN HTTPS support and ordinary CDN simply two different things. Ordinary CDN may help you do a SSL endpoint, while high-defense CDN has to be involved in the whole process of TLS handshake protection. I have tested the services of CDN5, they can even recognize abnormal packets in the encrypted traffic - for example, an IP suddenly sends TLS handshake requests at a high frequency, which directly triggers the rules and throws them into the black hole. Do not believe those “full protocol support” propaganda, many vendors of HTTPS protection simply do not do SNI detection, encountered ESNI (encrypted SNI) directly mute.
When configuring HTTPS high defense, you have to pay attention to the way the certificate is deployed. It is recommended to use two-way certificate validation, although it is a bit of trouble, but it can stop most of the attacks on forged certificates. Post a Nginx configuration example:
Plus the RTMP protocol, which is an old friend of the live broadcast industry. The key to high defense CDN support for RTMP is the isolation of push and pull nodes. Some vendors in order to save costs, push flow and pull flow with the same set of servers, the result is that the attacker a RTMP flood attack, the whole live chain all collapse. The reliable practice like CDN07, push flow nodes alone with high defense clusters, pull flow nodes and then do distributed acceleration. Once measured their RTMP protection, push flow nodes to carry 200Gbps Flood attack at the same time, pull flow delay did not exceed 200ms.
WebSocket is the scenario that really tests vendor technology. This protocol is characterized by long connections, the traditional request frequency-based protection strategy is basically ineffective. Attackers build hundreds of thousands of WebSocket connections hanging still can exhaust server resources. Good high-defense CDN like 08Host to do connection behavior analysis - for example, an IP built after the connection continues not to send packets, or send a heartbeat packet per second more than the threshold, directly pinch connection. Also have to support protocol upgrade checksum, to prevent attackers disguised as WebSocket handshake is actually sent HTTP Flood.
Recently, I also encountered a pitfall: WebSocket over TLS (WSS) protection. Many vendors think that the same configuration as HTTPS protection will work, but the result is that the TLS handshake phase is penetrated. It is recommended that WSS be configured to mandate a minimum TLS version of 1.2 and disable weak encryption suites. I have tested the default configuration of a vendor, but also supports TLS 1.0, which was directly blacklisted by me.
In addition to these mainstream protocols, there are also some special scenarios worth saying. For example, the UDP protocol commonly used in the gaming industry, high-defense CDN has to support UDP Flood protection; the financial industry may need the TCP private protocol, depending on whether the CDN supports custom port protection. I have seen a securities trading system because of the use of non-standard ports, buy a high security CDN does not detect the port traffic, was paralyzed by SYN Flood before thinking of custom rules.
Don't just look at the price when picking a high defense CDN. I'll list a real-world comparison data:
Finally, I'd like to give a violent theory: network attacks these days have long since gone beyond the simple and crude ICMP Flood. Attackers have begun to target protocol vulnerabilities to do application layer attacks, such as WebSocket slow connection attacks, RTMP protocol obfuscation attacks. If you choose the CDN vendor even protocol adaptation are not perfect, equivalent to the hacker opened the back door and actively handing the key.
When configuring a high defense CDN remember to squat in the background to see traffic reports in real time. A good protection system will clearly show the types of attacks and mitigations for different protocols. Don't wait until your business collapses to check the logs - your customers will have run out by then. Security is something that is always better prevented than remedied after the fact.
I forgot to say a key point: protocol support also depends on the way back to the source. Some CDN publicity support WebSocket, but back to the source of the surprising downgrade to HTTP polling, latency direct explosion. Be sure to test with the actual business scenarios before purchasing, or else you are spending money to buy a lonely.
In short (tsk, couldn't resist saying in short again), protocol support for high defense CDNs is definitely not a checkbox game. From HTTPS to WebSocket, each protocol has a unique attack surface and protection points. When picking a vendor, you have to take out the strength of the relationship check, protocol compatibility, protection granularity, performance loss can not be spared. After all, these days, even the CDN have to “prevent teammates” - choose the wrong vendor, teammates into the enemy is the most terrible.
