Recently to help a friend's company to deal with a DDoS attack, to see their server room that the lone anti-DDoS equipment lit up with a red light crazy alarm, I suddenly realized that many enterprise security responsible person simply did not think about it - in the end, these days should be used in the end of the high-defense CDN or traditional anti-DDoS hardware?
At that time, their million-dollar equipment was like an overloaded funnel, obviously the entrance has been blocked, and the business traffic can not come in at all. The technical team surrounded the machine half a day, and finally could only watch the business collapse. I have seen this scene too many times, many companies think that the hardware equipment bought on everything is fine, in fact, not at all so.
Let's start with the essential difference
Anti-DDoS equipment is like a security door in your house, installed at the exit of the company's network, all the traffic has to pass through it to detect. The advantage is strong control, can see the original traffic data, suitable for intranet business that requires in-depth detection. But the fatal flaw is - attack traffic and normal traffic will crowd your exit bandwidth, once the attack traffic exceeds the bandwidth capacity, the entire network will be completely paralyzed.
High-defense CDNs, on the other hand, direct traffic to distributed cleaning centers. Service providers like CDN5 have dozens of cleaning nodes around the world, and the attack traffic is digested at the edge nodes, and only normal traffic will be sourced back to your server. I found that even if I encountered a 300Gbps mixed attack, the source station bandwidth consumption will not exceed 100Mbps.
It's the cost comparison that counts
Buy an anti-DDoS hardware equipment, the first year of investment will be 80-2 million, not counting the annual 20% maintenance costs. More need to life is the need for full-time security engineers to maintain, just recruiting costs another three or four hundred thousand. Many companies do not understand this account, thinking that a one-time investment is finished.
High-defense CDN, on the other hand, is a pay-as-you-go model. Like CDN07's flexible billing program, the monthly 5TB guaranteed traffic plus excess on-demand billing, small and medium-sized enterprises monthly cost control between 1-3 million. Even if the sudden attack generates cleaning costs, it is far more cost-effective than the self-built hardware program. Last year, an e-commerce promotion was attacked during the CDN program with the final cost of only 80,000 yuan, if you use the self-built equipment to spend more than six hundred thousand on bandwidth expansion.
Don't believe in the “all-in-one solution.”
Some vendors will promote the so-called “all-in-one solution”, in fact, is the CDN and hardware equipment packaged for sale. I disassembled a vendor's program, found that the old version of the hardware equipment cloud deployment, performance shrinkage is serious. Do not believe those who boast of a single point of defense T-class attack equipment, the actual test even 200Gbps mixed attacks can not be carried.
A truly reliable solution would be a layered defense:
Web business must use high-defense CDN, like 08Host's global Anycast network can effectively disperse the attack traffic. Key business servers retain anti-DDoS equipment for secondary protection, database and internal systems plus a layer of host protection. In this way, even if a certain layer is broken through, there are other lines of defense to support.
See here for a sample configuration
Take the configuration of Nginx + high defense CDN as an example, the key is to do a good job of source site protection:
Hardware device policy configuration is instead more complex and needs to be tuned for different protocols:
My practical advice
Financial, government and other organizations that need absolute control are suitable for hardware equipment, but they must be equipped with a professional team for 7×24 hour operation and maintenance. Internet business, games, e-commerce and other public-facing services, direct selection of high-defense CDN is more reliable, especially CDN5 intelligent scheduling function can really save a lot of heartache.
Hybrid solution is the king's road: the core business with hardware devices to protect the bottom, external services with high defense CDN to carry traffic. After a listed company deployed this program, the annual DDoS protection cost was reduced by 40%, and there was no more business interruption.
Finally, a solid fact: 90% enterprises simply do not need to build their own anti-D protection system. Raise the team to buy equipment enough money to buy ten years of CDN services, and professional security company's threat intelligence database and real-time defense rules, far more timely and effective than the enterprise self-built rule base.
There is an old saying in the security circle: don't use manpower to pile up problems that can be solved with money. Looking at those who stay up all night staring at the protection console of the technical team, really want to advise them to early professional things to professional products.
