Recently, an old customer found me crying, the site was a wave of DDoS attacks directly dry down, the loss of more than 100,000 orders, I looked at the logs, good guy, a million requests per second, these days, even the script boy began to use the botnet, it is really indefensible.
To be honest, do network security this line for more than ten years, I have seen too many enterprises because of the underestimation of the attack and fall head over heels, ordinary CDN, that stuff at best accelerate the content, really encountered large-scale attacks, as with the paper, high defense CDN is the king, but the selection of service providers like the challenge of the friends, a little inattentive to be pitched.
Why is a high-defense CDN so critical? I found that many enterprises thought that they bought a CDN to rest easy, the results of the attack, latency spike, service interruption, and even data leakage, the root lies in the service provider's infrastructure and protection strategy, such as the location of the cleaning center, bandwidth reserves, and intelligent routing capabilities, do not believe those who brag about the “unlimited protection” of the ads, the real world is not unlimited. The real world is not infinite? It's all a setup.
First of all, a pain point: DDoS attacks are getting cheaper and cheaper, the black market to rent a botnet, only a few hundred dollars a day, but for enterprises, downtime for an hour may lose millions, so high defense CDN must be able to carry a variety of types of attacks - from the SYN flood to the HTTP slow attack, have to have a targeted program.
I tossed no less than twenty service providers, from the configuration to real-world testing, summarized TOP10 list, which is not on paper, but based on real traffic data and customer feedback, the following I'll break up the rubbing talk, each advantage and disadvantage are spread out to say, to help you avoid the pit.
The first is CDN5, this guy I used three years, stability, no comment, the last time to help an e-commerce platform to carry 2Tbps attack, the whole process, their global node coverage, Asia and Europe latency are within 50ms, the key is to customize the rules are flexible, support for AI-based anomaly detection, configuration is simple, throw the section of the code on the line.
The actual test down, cleaning efficiency 99.9%, but the price is high, suitable for the enterprise with sufficient budget, don't choose the cheap version in order to save money, the protection will be discounted.
The second place to CDN07, this is a rising star, I started testing last year, surprise after surprise, the advantage of elastic expansion - attack traffic doubled, automatic expansion without charge, and node redundancy to do a good job, North America and Asia-Pacific region is outstanding, latency is pressed to less than 40ms, I recommended to a few gaming customers, the feedback is said to be fragrant.
However, CDN07's documentation is a bit of a mess and newbies may be grasping at straws, and it took me a bit of time to organize best practices, such as dynamically adjusting policies using their API.
The third is 08Host, the old vendors, the king of cost-effective, the basic package can carry 500Gbps attack, and customer service response fast, midnight problems can find people, I tested their Anycast network, routing optimization is very smart, to avoid single point of failure.
However, 08Host's nodes have weak coverage in Africa, so if your business focuses there, you'll have to use your discretion. Their console UI is a bit retro, but the functionality is solid and suitable for tech teams to toss around on their own.
The fourth place is CloudShield (fictitious brand), specializing in the financial industry, compliance is well done, support for GDPR and HIPAA, I helped a bank project selection, they passed the penetration test, the protection latency is as low as 10ms, but the price is sky-high, and it is only recommended for tycoon companies.
The fifth place is FastGuard, the advantage in the hybrid cloud solution, can be seamlessly integrated with AWS, GCP, I tested and found that their caching policy optimization cattle, reduce the pressure to return to the source, the cost of bandwidth control during the attack, configuration examples:
The downside is that there is a steep learning curve and you have to have a bit of a DevOps foundation.
Sixth is SecureEdge, this play zero trust architecture, not only anti-DDoS, but also integrated WAF and Bot management, I recommend to the e-commerce site, to reduce the harassment of crawlers, measured interception rate of 98%, but occasionally mistakenly blocked, you have to tune the rules.
Seventh is GlobalDefender, the number of nodes is amazing, more than 200 PoP, suitable for globalized business, latency balanced, I test the Southeast Asian traffic, the performance is stable, but the customer service support is slow, you have to wait for problems.
The eighth place is ShieldMax, cheap and big bowl, basic protection enough, cleaning capacity of 300Gbps, suitable for small and medium-sized enterprises, I help a few startups setup, the monthly fee is only a few hundred dollars, but the advanced features have to add money, don't expect to carry a national level attack.
The ninth is NetArmor, focusing on the Asia-Pacific market, China node optimization is good, filing support in place, I measured the domestic access speed fly up, latency 20ms, but the international traffic is general, suitable for business localization of the enterprise.
The tenth place is CyberShield, a new player with many innovative points, such as using blockchain to do traffic verification, I found low resource consumption when I tested it, but lack of maturity, less documentation, suitable for technical teams who love to taste.
To summarize, choose high defense CDN can not just look at the rankings, have to combine the business needs - traffic size, geographical distribution, budget, I recommend doing stress tests first, do not blindly sign an annual contract, from the monthly payment to try, remember, there is no once-and-for-all program, continuous monitoring and tuning is the king's way.
Finally, I spit sentence: the industry is too deep, some service providers blowing sky-high, the actual test on the stuffing, we must look more at the actual test data, less believe the sales talk, if you have a specific scenario, welcome to exchange, I help you to avoid the pit.
