Abstract: With the rapid development and application of information technology, the trend of industrial digitization and intelligence is deepening day by day, enterprise information security and protection has been promoted to all the previous height. Ali cloud CDN time after 10 years of technology development, has gradually build an edge + cloud security network three-dimensional protection system, contains the full link security transmission, the edge of the common type attack defense, enterprise exclusive content of resources deployment, operations and security mechanism, makes the security of network operating environment for the enterprise.

There are two core scenarios in CDN security protection: congested bandwidth and depleted resources.

For this kind of attack of congestion of limited bandwidth entry, it is essential to Hold on the traffic. CDN naturally has rich node resources. It uses a distributed network to disperse the attack to different edge nodes and returns to the server after near source cleaning. For this kind of attack, it is essential to make the attack visible quickly, and can block the corresponding features. CDN alone cannot solve the problem effectively. It is necessary to complete intelligent and accurate detection of DDoS attacks through the configuration of CDN nodes, and automatically dispatch attacks to DDoS high protection for traffic cleaning. At this time, users need to buy products with high anti-DDoS protection.

Edge security system based on Ali Cloud CDN+ cloud security

The edge security system based on Aliyun CDN still has the core capability of acceleration, but it is more than acceleration. Acceleration is the basis of the overall scheme. Based on the total station acceleration platform of Ali Cloud, it improves the total station acceleration effect of the static and dynamic hybrid stations through core technologies such as automatic static and static separation, intelligent routing and routing, and private protocol transmission. On the basis of acceleration, it provides customers with rich security capabilities in six aspects, including edge application layer security, network layer DDOS defense, content tamper-proof, full-link HTTPS transmission, high availability security, and security compliance. From the customer’s business traffic to the CDN product system, until it returns to the customer source station, the full-link provides security guarantee. Ensure the security and acceleration of enterprise Internet business.

Edge safety protection

Ali cloud CDN through the construction of a complete enterprise-level edge security capabilities, including DDOS mitigation, WAF, frequency control, IP/ area blocking, machine traffic management, accurate access control, etc., to achieve from the network layer to the application layer of the full stack protection. At the same time without sacrificing the acceleration performance of the website, it fully guarantees the stability and security of customers’ online business.

Every year, Ali cloud security monitors the occurrence of nearly one million DDoS attacks on the cloud, application layer DDoS (CC attack) has become a common type of attack, the attack methods are more complex; At the same time, Web application security related problems still occupy a very large proportion, from user information leakage to the carnival of the wool party, all the time is not testing the safety level of every industry, every Web application. In order to make the network platform carrying data transmission more secure and reliable, Ali Cloud CDN has been constantly consolidating its security capabilities.

  1. DDoS mitigation

CDN and DDOS high protection products can realize linkage, in the distribution scenario can be distributed through CDN. When a DDoS attack occurs, the traffic in the area where the DDoS attack occurs can be scheduled to the DDoS high protection to clean, effectively protecting the service quality of the business. Through the linkage scheme, massive DDoS attacks can be effectively cleaned, and Flood attacks such as SYN, ACK, ICMP, UDP, NTP, SSDP and DNS can be perfectly defended. At the same time, based on the computing power and deep learning algorithm of Aliyun FeiTian platform, intelligent prediction of DDoS attacks, smooth switch to DDoS high protection, and does not affect the business operation.

2. Machine flow management

In the face of malicious crawl web crawler, CDN platform based on alibaba group business precipitation malicious IP library, malicious fingerprint library, etc., through the machine learning ability and close to the business risk customized precision against the crawler model, reduce the effects of the crawler, automation tools for website business, ensure the security of enterprise data, maintenance enterprise’s core business value.

3. Frequency control

When the website is attacked by malicious CC and the response is slow, through the frequency control function, the request to visit the website can be blocked in seconds and the security of the website can be improved. Frequency control protects your Web site URL from suspicious requests that exceed a set threshold. It supports a rich set of monitored objects, along with custom rules to define appropriate access thresholds. Once a set request threshold is reached, a custom response is triggered to deal with overly frequent access requests through a variety of means, such as blocking or challenging.

4. IP/ Area Banning

IP black and white list is configured to realize the identification and filtering of visitor identity, so as to restrict the users who access CDN resources and improve the security of CDN. In addition to the configuration of the country’s black and white list, to help you block access requests from the designated area, to solve the problem of high incidence of malicious requests in some areas.

5. Precision access control

Allow custom matching conditions to implement precise access control. Matching criteria allow you to check common HTTP fields (such as IP, URLs, headers, and so on) to meet the customization requirements of a business scenario. This feature describes the access request to be captured by supporting rich request fields and defining diverse matching criteria. Once the request is matched, it triggers the actions defined by the rule, such as challenge, observation, blocking, etc., to achieve precise access.

6. WAF

Due to the distributed architecture of CDN, users obtain content by visiting the nearest edge node. Through such a stepping board, the IP of the source station can be effectively hidden, thus decomposing the access pressure of the source station. When a large-scale malicious attack comes, the edge node can be used as the first line of defense, which not only greatly disperses the attack intensity, but also completes the edge protection through the above multiple security capabilities.

Ali Cloud CDN also integrates cloud WAF capability to realize the last layer of protection of the source station. WAF will return to the source of the business traffic for malicious characteristics identification and protection, the normal and safe traffic back to the server, and then avoid malicious invasion of the website server, protect the core data security of the enterprise business, solve the server performance problems caused by malicious attacks. CDN WAF provides virtual patches for the latest vulnerabilities exposed to the website, providing the maximum possible quick fix rules, and relying on cloud security, quick vulnerability response and repair.

Tamper-proof capability

Aliyun CDN provides enterprise-level full-link HTTPS+ tamper-proof capability of node content to ensure the transmission security of full-link from the source station to the client. At the link transmission level, HTTPS protocol is used to ensure that the link cannot be hijacked by the intermediate source. Consistency verification can be carried out on the source station files on the node. If the content is found inconsistent, the content will be deleted and retrieved from the source again. The whole solution can guarantee the security of content in the whole link of source station, link end, CDN node and client end, and provide a higher security transmission guarantee.

Resource exclusive to enhance the safety factor of enterprises

For large enterprises and other business scenarios with strong security requirements, Ali Cloud CDN provides exclusive resource solutions:

Support customers to achieve physical isolation through security acceleration nodes, completely separate construction, deep integration of security functions, providing advanced single-node high defense capability;

Provide exclusive IP resources to ensure business security risk isolation, will not be affected when others are attacked;

Support single user independent scheduling domain, user DNS attacks do not affect each other, DNS Flood protection of one million QPS.

Stick to the “production” safety bottom line of content and platform

AliCloud is based on artificial intelligence and massive sample sets, deep learning training recognition model, accurate identification of yellow-related scenes in pictures accelerated by CDN, and can provide multi-level identification and flexible control scheme according to the actual control needs of users. The overall yellow detection accuracy is more than 99%, can replace more than 90% of the manual audit, greatly reducing the risk of violations.

By simplifying the security acceleration architecture, the operation and maintenance personnel can more easily carry out one-stop self-service configuration and API control, and realize monitoring and warning of daily attacks, full-link troubleshooting, automatic protection and real-time panoramic data log view. At the same time, the escort and reassurance response system during large-scale events can assist enterprise applications to resist security risks and protect the stability of the system.

Ali Cloud CDN platform has also passed the national information security level protection 2.0 level, ISO9001, PCI-DSS and other compliance certification, in the network security, data security, service security and other aspects of the evaluation has been recognized by the world authority.

Industry application cases

Business website – aviation promotion

A low-cost airline in Asia will hold a large ticket promotion activity every quarter. With the help of Aliyun CDN+WAF structure, it can realize the rapid closure of ticket booking requests. Through long-term continuous analysis of the seat occupation during the promotion period, the seat occupation rate will be reduced to a relatively low level to ensure the stability of business revenue.

Game company – games out to sea

Chinese game companies go to sea in the army, there is a dark horse to stand out. The enterprise uses Aliyun DCDN to integrate the super-scale user experience, allowing users to replace all the Border Gateway Protocol (BGP) network resources of their source servers with a single operational network, reducing the bandwidth cost of the source servers by more than 50%.

This article is the original content of Aliyun, shall not be reproduced without permission.