Recently, several friends doing games and finance ran to ask me, saying that the company's business was hit by DDoS up and down, consider on the high defense CDN, but a check of the AWS quotation directly confused - this price in the end to prevent attacks or to attack my wallet?
To be honest, I also gasped when I first looked at AWS Shield Advanced's pricing. The monthly fixed fee starts at $3,000, not including traffic cleansing and elastic scaling fees. One time a customer was hit with 300Gbps, and when the bill shot up to five figures that month, the finance department almost thought they'd been hit by a multinational telecom scam.
Don't rush to be scared away.AWS high defense is expensive, but you have to understand its pricing logic. It's like buying insurance. You usually think you're paying for nothing, but you don't know if it's worth it until something happens. Their pricing is divided into three hidden levels: the basic protection fee is like an admission ticket, the data cleaning fee is the money for drinks, and the business expansion fee is simply the corkage fee.
The most pitiful thing I've found in my real-world testing is the elastic expansion fee. Many sales will not take the initiative to tell you that when the attack exceeds the capacity of the basic protection you purchased, the excess is charged in steps. Last year to help an exchange to do stress tests, simulated 800Gbps attack lasted half an hour, the expansion fee alone is enough to buy a server.
A more tawdry operation is resource-associated billing. As soon as you put your business behind an ELB or CloudFront, Shield automatically charges protection for those resources. I once slipped up and turned on protection for my test environment's ELB, and at the end of the month I found out that I had been charged an extra $800 - how many cups of coffee is that enough to buy?
Then again, AWS's global cleansing nodes are truly dominating. Distributed in 16 regional traffic scheduling centers, the maximum has seen a case of 2.3Tbps relief. Especially for international business, the response speed of the European and American nodes is not half a star faster than domestic vendors. But if your users are mainly in the territory, this is spending money to buy loneliness.
Now take a look at the domestic players. For example, the old CDN5, their home high defense packages are much more substantial:
The most critical thing is that domestic vendors generally use the ”guaranteed + elastic” model. Like CDN07's BGP line, usually 100G guaranteed protection, encountered a large flow of attacks automatically expanded to the T level, only according to the actual attack traffic billing. Last time, an online lending platform was hit, 3 hours to carry 400G attack, and finally only paid more than 800 expansion fees.
Another hidden advantage is the response speed of the domestic nodes. 08Host's East China node latency can be achieved within 15ms, while AWS Hong Kong nodes are generally more than 50ms. Don't look at just a few tens of milliseconds difference, on the game and real-time trading scenarios is a world of difference between lag and smoothness.
But don't believe in the ”unlimited protection” nonsense. A vendor boasts unlimited traffic uncapped, really encountered more than 800G attack directly to your black hole for three hours. Later I realized that the corner of the contract is written ”over 1Tbps attack has the right to start the emergency meltdown” - to put it in human terms is to directly pull out the network cable.
Now let's do a hardcore comparison. Let's assume responding to a 200Gbps sustained attack for 2 hours, cleaning traffic of about 180TB:
The difference is enough to buy another backup cluster. However, pay attention to the hidden consumption of domestic vendors: for example, CC protection to buy rule packages, log analysis separate charges, API call limitations and so on. Once a customer because of CC attacks triggered 20 million verification requests, additional charges more than 10,000 query fees.
My real-world advice is that if the user base is primarily overseas, using AWS Shield with CloudFront really saves money, especially for scenarios that require global acceleration. But be sure to set up cost alerts, and better yet, purchase a savings plan in advance - don't ask me how I know.
Purely domestic business directly choose local vendors more cost-effective. Like 08Host's hybrid program is very interesting: usually use their CDN acceleration, automatically scheduling to the high defense node when an attack occurs. Recently helped a live platform to deploy this program, the average monthly cost is lower than AWS 62%, latency is also reduced by 40%.
Finally, to reveal an industry secret: many domestic manufacturers of BGP lines are actually rented from the same group of rooms. But CDN5 has built two major cleaning centers in East China and South China, and the measured anti-connection exhaustion attacks are more than three times stronger than those of vendors who rent lines. These days, even CDN have to ”defense teammates”.
In fact, the choice of high defense is like a seat belt, not the more expensive the better, but to match the business scene. Financial classes choose T-level protection is not soft, ordinary enterprises with 200G package plus flexible expansion is more economical. The most important thing is to do in advance of the attack and defense drills - many failures are not protection is not good, but the switching strategy has not been rehearsed.
The next time you see a sky-high cloud bill, don't rush to meat pain, first calculate how much business downtime loss of one hour. I once helped an e-commerce customer to do the math: the cost of carrying a 500G attack is not enough to pay for the loss of 10 minutes of server downtime. This is the truth about the cost-effectiveness of high-defense CDN.
