I've had enough of being woken up by alarms at 3:00 a.m. The business department over there is frantically calling to ask why the website can't be opened, and the operation and maintenance over here is staring at the monitoring screen and saying that the traffic is flooding again - the war of attack and defense in the financial industry is so plain and boring. But the biggest headache is not anti-hacker, is both to meet that pile of hard indicators, but also have to let real users access the speed of the fly up, the difficulty is comparable to letting elephants jump ballet.
Last year, a bank customer over the third level of equal protection, the evaluation agency directly dumped words: “You do not do isolation and acceleration of static resources, DDoS mitigation strategy has not seen dynamic adjustment, really encountered massive attacks certainly can not hold out.” As a result, during the rectification period was forced to use traditional high defense, user complaints about the delay soared, the financial department calculated the cost of traffic almost vomited blood - this sacrifice experience “security” is simply self-deception.
Security and experience in financial services is simply not a matter of choiceThe equal protection 2.0 explicitly requires “business continuity and resource control capability”. Equal protection 2.0 in the clear requirements of “business continuity and resource control capabilities”, the light to carry the fight is not enough, but also to ensure smooth access to normal users. I have tested several vendors program, found that many of the so-called "high-defense CDN" is actually a shell cleaning, node less, scheduling rigid, encrypted transmission and cache optimization did not do fine.
Later, our team tossed out a program, the core idea is: intelligent scheduling to attack traffic to the cleaning center, normal users directly connected to the acceleration node; static resources all edge caching, dynamic request smuggling protocols back to the source; the whole TLS 1.3 encryption coupled with the certificate pinned to prevent man-in-the-middle hijacking. Tested to carry 800Gbps of mixed attacks, while the first screen loading time fell 40%.
First of all, the details of the implementation of the requirements of equal protection. Equal protection 2.0 in the application of security level clearly requires “anti-denial of service attack capability”, but many units think to buy a high defense IP on the end of the matter - a big mistake. Attack types are now all mixed mode: CC attacks mixed with TCP Flood, even mixed with slow HTTP attacks, relying solely on traffic cleaning can not prevent.
Our configuration must be layered:
The first layer uses DNS scheduling to do attack triage, malicious IP segments are led directly to the cleaning center, and legitimate users are resolved to the acceleration node. Don't use free DNS here, the resolution delay and TTL stability will kill you. It is recommended to use CDN07's intelligent DNS, which supports sub-provincial and sub-operator resolution, and can be dynamically switched according to the state of the source station.
The second layer of WAF protection at the edge nodes, the rule base must be updated in real time. I strongly recommend customizing the rules: for example, for the financial trading interface, limit the number of requests per second for a single IP, and if it exceeds the limit, pop up the CAPTCHA or block it directly. Configuration example (based on Nginx):
The third layer is certificates and encrypted transfers. Equal protection requires “communication integrity”, TLS 1.3 must be on, and disable the weak cipher suite. Last year, a brokerage firm was penalized for using TLS 1.0. It is also recommended to add HSTS preloading to prevent SSL stripping attacks. Olsen cloud (08Host) CDN in this regard to do quite absolute, support for custom cipher suites and OCSP binding, latency can be reduced by more than 20ms.
User experience optimization is the hidden test pointThe traditional solution is to return all the files to the source. Financial websites do not move dozens of JS/CSS files, the traditional program all back to the source, high latency and bandwidth consumption. My program is: static resources after hashing permanent cache, HTML files with edge caching 5-10 seconds (taking into account dynamic content updates). Measured first screen loading from 3s down to 1.2s, annual bandwidth cost savings of millions.
The caching strategy should be fine-grained:
Dynamic acceleration of this piece, we used CDN5's private protocol back to the source, TCP optimization + multiplexing, twice as fast as the traditional HTTP back to the source. Especially for securities trading websites, every 100ms reduction in the delay of the order interface can reduce the user turnover rate by 7% (real data).
Don't believe in “one-click solutions.”A well-known vendor boasts that their CDN can automatically adapt to all scenarios. A well-known vendor boasts that their CDN can automatically adapt to all scenarios, and as a result, we found that the node coverage was insufficient when we tested, and western users were often scheduled to the eastern nodes. Finally changed to use CDN07 convergence program: static resources with 08Host (cheap nodes), the core trading interface to CDN5 high defense line, scheduling strategy with self-research intelligent decision-making engine - the monthly fee to save 40%, the effect of the contrary more stable.
Monitoring and logging must also keep up. Waiting for the security requirements of “security events can be traced”, we did the whole link log collection: from the CDN layer to the WAF to the source station, all the request logs into the lake in real time, and use ELK to analyze the attack pattern. Once found that at 2:00 a.m. there are always foreign IP scanning interface, timely addition of human-computer verification rules, to avoid a data leakage event.
Lastly, I'd like to talk about the chaos in the industry: some vendors packaged overseas nodes as “global acceleration”, the actual latency soared to 300ms +; there are so-called “unlimited protection” in fact, oversold bandwidth, really encountered a big attack directly black hole. It is really recommended to build your own test environment pressure test: simulate mixed attacks to see the effect of mitigation, and use WebPageTest to measure the loading speed of different regions.
The financial industry to engage in high-defense CDN is like installing bulletproof glass for money carriers - both to carry bullets, but also can not let passengers feel bored. The balance lies in: using layered architecture to defuse attack pressure, using edge computing to improve user experience, and using data-driven iterative strategies. Now our customer solutions have been standardized: small and medium-sized platforms with CDN07 full-site acceleration + WAF, large exchanges with CDN5 high defense + 08Host static resource hosting, et al. evaluation of the test once over, the user complaint dropped 80%.
There's no such thing as a one-time fix for security. Last month, a new type of Memcached reflection attack emerged, and we adjusted the TCP parameter thresholds overnight. Vigilance and continuous iteration are the true meaning of financial security.
