Recently, customers always ask the same question: Baidu cloud high-defense CDN in the end is not reliable? To be honest, if this question was asked to me half a year ago, I may still have to flip through the document. But last month, our company's e-commerce business was hit by three waves of DDoS, the maximum peak rushed to 800Gbps, just to take Baidu cloud high defense to do a combat test - the results are well, a little interesting.<\/p>\n
First dump the conclusion: this is not a fairy product, but it does solve the pain points in specific scenarios. If you are being tormented by CC attacks to get up in the middle of the night to restart the server, or confused about which high defense service to choose, this test review should be able to give you some reference.<\/p>\n
First, high defense CDN in the end to prevent what?<\/strong><\/p>\n Many people think that buying a high-defense CDN will be able to rest easy, in fact, purely overthinking. I have seen the most outrageous case is an Internet financial company, bought the top configuration of the high defense but still be pierced - later found that the programmers of their own database ports exposed to the public network. So let's be clear: high defense CDN is mainly to prevent the application layer attacks (such as CC attacks, HTTP Flood) and network layer attacks (such as SYN Flood, UDP reflection), but can not prevent the business logic loopholes and weak password blasting.<\/p>\n Baidu cloud high defense traffic cleaning capacity is officially labeled as 2Tbps, I tested about 800Gbps mixed attack (SYN Flood + HTTP slow attack), the node did not go down. However, it should be noted that the cleaning process will have a delay of 5-10 seconds of jitter, for real-time transaction business to do a good job of timeout retry mechanism.<\/p>\n Second, there are more potholes in the configuration link than expected<\/strong><\/p>\n Do not believe the sales said \u201done key access\u201d. In practice, there are three modes of domain name resolution at the time of configuration: CNAME, NS, and A record. I strongly recommend using NS to take over the entire resolution, although it takes a few hours to change the NS record to take effect, but the subsequent scheduling accuracy is higher. Previously, when I used CNAME access, I encountered the problem of resolution cache, and users in a certain region were still dispatched to the source IP for two consecutive days.<\/p>\n Cache configuration is also a dark pit. The default static resource caching rules are extremely unfriendly to dynamic sites:<\/p>\n Third, the price strategy is a bit confused<\/strong><\/p>\n Baidu Cloud High Defense uses a double billing model for bandwidth + number of requests. The basic package starts at 20,000 per month (100Gbps protection + 5TB of traffic), and the number of requests exceeded is billed at 0.15 yuan per 10,000 requests. During one of our promotional activities, there were suddenly 2 million more requests, and the bill directly skyrocketed by 30,000 - later found out that the crawler was brushing the product details page.<\/p>\n Comparison of several other: CDN5 using unlimited number of requests but the bandwidth unit price is higher (1Gbps \/ month = 8000 yuan), CDN07 provides 300Gbps fixed protection but does not support elastic expansion. 08Host recent activities to pay 60% discount, but the number of nodes is only half of Baidu. To be honest, there is no perfect program, only suitable for not suitable.<\/p>\n Fourth, the real protection effect data<\/strong><\/p>\n Post a comparison of the data when our business was under attack:<\/p>\n One thing to note is that their default thresholds for CC protection are on the conservative side. I'd recommend tuning the rules first thing when you get an account:<\/p>\n V. Uneven quality of nodes<\/strong><\/p>\n Baidu Cloud has 2000+ nodes in China, but the quality of nodes in third-tier cities is significantly worse than that of Aliyun. Through 17Monitor's continuous monitoring, we found that the TCP retransmission rate of Foshan, Guiyang and other nodes occasionally spiked to 3% (normal should be less than 0.5%). Later, through the scheduling strategy to limit the important business in the TOP 10 city nodes, the delay immediately stabilized within 30ms.<\/p>\n Overseas nodes are even more sinkholes! Hong Kong nodes go PCCW line evening peak packet loss rate is amazing, the United States node latency is basically more than 200ms. If you want to do globalization business, it is recommended to use Baidu cloud anti-attack + CDN5 to do the combination of acceleration programs.<\/p>\n VI. Technical support response speed<\/strong><\/p>\n This is the point I want to gripe about the most. Ordinary problems work orders average 4 hours to reply, urgent attacks need to call to rush. In contrast to CDN07 provides 7 \u00d7 24 hours technical experts on site, 08Host even pull corporate WeChat seconds to pull the group response. However, Baidu Cloud has a hidden service: customers who consume more than 100,000 yuan in a month can be equipped with an exclusive architect, and we later compressed the problem response time to 20 minutes through this channel.<\/p>\n Seven, never ignore the return source protection<\/strong><\/p>\n I have seen too many enterprises only remember to use high defense to protect the entrance traffic, but forgot to shield the non-CDN nodes back to the source. There was a tragic case: the attacker got the real IP through the whole network scanning and directly penetrated the source station. Be sure to set up a whitelist in the server firewall:<\/p>\n VIII. Exactly what businesses are suitable?<\/strong><\/p>\n After three months of testing, I think Baidu cloud high defense is most suitable for these two types of scenarios: 1) the main business users are concentrated in the domestic medium-sized and large enterprises, especially in the education, government, financial industries that need to be filed; 2) the customers who have already used other Baidu cloud products (such as BCC, BOS), intranet interoperability can save a lot of traffic costs. If it is cross-border e-commerce or the pursuit of extreme latency gaming business, it is recommended to look elsewhere.<\/p>\n Finally, the truth: there is no program that can 100% prevent attacks. We later did a multi-CDN disaster recovery - Baidu cloud high defense as the main protection, CDN5 to do intelligent scheduling backup, the monthly cost increased by 40% but then did not appear the whole station downtime. Security is such a thing, usually think that the investment is a waste of money, when something really happens to realize that it is life-saving money.<\/p>\n (At the request of the vendor to hide some of the test data, but the core conclusions stand up to scrutiny. (If you want to see the specific traffic monitoring charts, you can send a private message to exchange - remember to specify the purpose of the message, recently there are too many reptiles to add the microblogging)<\/p>","protected":false},"excerpt":{"rendered":" Recently, customers always ask the same question: Baidu cloud high-defense CDN in the end is not reliable? To be honest, if this question was asked to me half a year ago, I may still have to flip through the document. But last month, our company's e-commerce business was hit by three waves of DDoS, the maximum peak rushed to 800Gbps, just take Baidu cloud high defense to do a combat test - the results are well, a little interesting. First dumping conclusion: this is not a fairy product, but it can really solve the pain points in specific scenarios. If you are being tortured by CC attacks in the middle of the night to get up and restart the server, or tangled in the choice of which high defense services, this test review should be able to give you some reference. First, high defense CDN in the end to prevent what? Many people think that buying a high-defense CDN will be able to rest easy, in fact, purely think too much. I have seen the most outrageous case is an Internet finance<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"gallery","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[150],"tags":[],"collection":[],"class_list":["post-993","post","type-post","status-publish","format-gallery","hentry","category-updates","post_format-post-format-gallery"],"_links":{"self":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/993","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/comments?post=993"}],"version-history":[{"count":1,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/993\/revisions"}],"predecessor-version":[{"id":1132,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/993\/revisions\/1132"}],"wp:attachment":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/media?parent=993"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/categories?post=993"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/tags?post=993"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/collection?post=993"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}