Recently, several friends doing social projects have run to ask me the same question: do you use a high-defense CDN in the end to support WebRTC ah? I've been hit by DDoS every day, and dare not directly expose the source station, real-time audio and video card into the PPT is almost scolded to death by the user.
To be honest, the first time I heard this question I almost sprayed my coffee on the screen, WebRTC is essentially a direct P2P connection, and the traditional CDN cache acceleration is not the same way. But ask more people, I realized that things are not so simple - now a little bit of the scale of the social platform, who still dare to put the audio and video streams directly naked on the public network?
I was on the receiving end of this last year. At that time, the project was in a hurry to go online, and directly threw the TURN server on the public cloud, which was penetrated within three days of opening. The attacker pinpointed our media server IP, and the 300G per second traffic directly knocked the server room into a black hole. The scene was almost as if the entire data center had been digitally flooded.
The core of the problem is that WebRTC was originally designed for direct peer-to-peer connections, but the reality of the network environment is so complex that it's a headache to navigateThe NAT traversal failure rate is more than 30%, and corporate firewalls are the number one killer of audio and video streams. At this time it is necessary to rely on the TURN server to do transit - and this thing is just an IP exposure point.
What's even more disgusting is that WebRTC has a fatal flaw when establishing a connection: the ICE candidate address collection process exposes both intranet IPs and public IPs. i grabbed a packet and watched it once, and during the STUN negotiation process your server's IPs are transmitted across the network as if they were naked. Attackers don't even need to bother scanning, they can strip the media server IP directly from the handshake signaling.
This is the time for high defense CDN to come out. But traditional CDN vendors such as CDN07, their nodes are mainly optimized for HTTP/HTTPS, the support for the UDP protocol is simply touching. I have tested their nodes, WebRTC traffic past the delay directly doubled, packet loss rate of more than 15% is a common occurrence.
Instead, CDN5, which specializes in real-time communications, surprised me. All of their edge nodes support SRT and WebRTC protocols, and most critically, they have deployed specialized TURN proxy clusters around the world. Here's a schematic of their architecture:
Note that iceTransportPolicy is set to relay - this is the key to saving lives. Forcing all traffic to go through the TURN relay increases latency a bit, but completely hides the source IP. the average increase in latency is under 40ms, which is well within acceptable limits.
08Host's solution is more interesting. They got an intelligent routing system that can dynamically switch between UDP and TCP according to real-time network conditions. Telecom goes to TCP, Unicom goes to UDP, and the mobile network even uses the QUIC protocol. I deliberately tested in the evening peak, packet loss rate is always controlled below 3%:
This fake_ip_pool is cleverly designed - the edge nodes use virtual IPs to communicate with the source, and the real IPs are never exposed. Rotating the IP segments every 5 minutes is the equivalent of putting a camouflage suit on the server.
The effect of DDoS protection is even more exaggerated. Last month, we encountered a targeted attack against WebRTC gateway, 800,000 SYN packets per second dedicated to hit the TURN port. CDN5 cleaning center directly triggered intelligent protection, automatically scheduling the traffic to three different cleaning nodes. The final statistics show that only 0.3% of legitimate traffic was affected, and users were almost unaware of it.
However, it is important to note that not all high-defense CDNs really support WebRTC. some vendors simply forward UDP traffic, without even basic QoS guarantees. When testing, be sure to look at these key metrics: ICE connection success rate, end-to-end delay variance, and packet loss retransmission rate. I summarized a quick verification scheme:
Measurement data show that a good high defense CDN can make WebRTC P99 latency control within 200ms, 5 seconds connection success rate of 99.8% or more. In particular, the optimization of cross-border links in Asia, the delay from Hong Kong to Silicon Valley can be pressed to about 150ms, which is close to the level of dedicated data.
Looking back now, the combination of WebRTC and high-defense CDN is like double insurance for real-time communication. Both retain the low-latency advantage of P2P and gain the ability to protect the cloud. Especially for social platforms that are hard-hit, DDoS protection alone can save hundreds of thousands of dollars in bandwidth costs every year.
Finally, a lesson in tears: do not build your own TURN cluster to save money. My team tossed three months last year, the light flow cleaning equipment invested more than two million, the results of the protection effect is not as good as the professional CDN vendors. Now think about it really brain water, professional things should be given to professional guys to do.
So back to the original question: social high defense CDN support WebRTC? The answer is not only support, and must support. These days, real-time communication without protection is like running naked into the battlefield, just any script boy can be a shot to clear the stage. Choose the right CDN service provider, your audio and video business can really rest easy.
