Brief introduction:With the rapid development and application of information technology, the trend of industrial digitization and intelligence is deepening day by day, and the enterprise information security and protection has been promoted to a new height. Ali cloud CDN time after 10 years of technology development, has gradually build an edge + cloud security network three-dimensional protection system, contains the full link security transmission, the edge of the common type attack defense, enterprise exclusive content of resources deployment, operations and security mechanism, makes the security of network operating environment for the enterprise.
With the rapid development and application of information technology, the trend of industrial digitization and intelligence is deepening day by day, and the enterprise information security and protection has been promoted to a new height. Ali cloud CDN time after 10 years of technology development, has gradually build an edge + cloud security network three-dimensional protection system, contains the full link security transmission, the edge of the common type attack defense, enterprise exclusive content of resources deployment, operations and security mechanism, makes the security of network operating environment for the enterprise. There are two core scenarios in CDN security protection: congested bandwidth and depleted resources. For this kind of attack of congestion of limited bandwidth entry, it is essential to Hold on the traffic. CDN naturally has rich node resources. It uses a distributed network to disperse the attack to different edge nodes and returns to the server after near source cleaning. For this kind of attack, it is essential to make the attack visible quickly, and can block the corresponding features. CDN alone cannot solve the problem effectively. It is necessary to complete intelligent and accurate detection of DDoS attacks through the configuration of CDN nodes, and automatically dispatch attacks to DDoS high protection for traffic cleaning. At this time, users need to buy products with high anti-DDoS protection.
Edge security system based on Ali Cloud CDN+ cloud security
The edge security system based on Aliyun CDN still has the core capability of acceleration, but it is more than acceleration. Acceleration is the basis of the overall scheme. Based on the total station acceleration platform of Ali Cloud, it improves the total station acceleration effect of the static and dynamic hybrid stations through core technologies such as automatic static and static separation, intelligent routing and routing, and private protocol transmission. On the basis of acceleration, it provides customers with rich security capabilities in six aspects, including edge application layer security, network layer DDOS defense, content tamper-proof, full-link HTTPS transmission, high availability security, and security compliance. From the customer’s business traffic to the CDN product system, until it returns to the customer source station, the full-link provides security guarantee. Ensure the security and acceleration of enterprise Internet business. Ali cloud CDN through the construction of a complete enterprise-level edge security capabilities, including DDOS mitigation, WAF, frequency control, IP/ area blocking, machine traffic management, accurate access control, etc., to achieve from the network layer to the application layer of the full stack protection. At the same time without sacrificing the acceleration performance of the website, it fully guarantees the stability and security of customers’ online business. Every year, Ali cloud security monitors the occurrence of nearly one million DDoS attacks on the cloud, application layer DDoS (CC attack) has become a common type of attack, the attack methods are more complex; At the same time, Web application security related problems still occupy a very large proportion, from user information leakage to the carnival of the wool party, all the time is not testing the safety level of every industry, every Web application. In order to make the network platform carrying data transmission more secure and reliable, Ali Cloud CDN has been constantly consolidating its security capabilities. 1. DDOS mitigation CDN and DDOS high protection products can realize linkage, in the distribution scenario can be distributed through CDN. When a DDoS attack occurs, the traffic in the area where the DDoS attack occurs can be scheduled to the DDoS high protection to clean, effectively protecting the service quality of the business. Through the linkage scheme, massive DDoS attacks can be effectively cleaned, and Flood attacks such as SYN, ACK, ICMP, UDP, NTP, SSDP and DNS can be perfectly defended. At the same time, based on the computing power and deep learning algorithm of Aliyun FeiTian platform, intelligent prediction of DDoS attacks, smooth switch to DDoS high protection, and does not affect the business operation. 2. The machine traffic management In the face of malicious crawl web crawler, CDN platform based on alibaba group business precipitation malicious IP library, malicious fingerprint library, etc., through the machine learning ability and close to the business risk customized precision against the crawler model, reduce the effects of the crawler, automation tools for website business, ensure the security of enterprise data, Maintain the core business values of the enterprise. 3. Frequency control When the website is attacked by malicious CC and the response is slow, the frequency control function can block the request to visit the website in seconds and improve the security of the website. Frequency control protects your Web site URL from suspicious requests that exceed a set threshold. It supports a rich set of monitored objects, along with custom rules to define appropriate access thresholds. Once a set request threshold is reached, a custom response is triggered to deal with overly frequent access requests through a variety of means, such as blocking or challenging. 4. IP/ area blocking configuration IP black and white list to realize the identification and filtering of visitor identity, so as to restrict the users who access the CDN resources, improve the security of the CDN. In addition to the configuration of the country’s black and white list, to help you block access requests from the designated area, to solve the problem of high incidence of malicious requests in some areas. 5. Precise access control allows custom matching conditions to implement precise access control. Matching criteria allow you to check common HTTP fields (such as IP, URLs, headers, and so on) to meet the customization requirements of a business scenario. This feature describes the access request to be captured by supporting rich request fields and defining diverse matching criteria. Once the request is matched, it triggers the actions defined by the rule, such as challenge, observation, blocking, etc., to achieve precise access. 6. WAF, due to the distributed architecture of CDN, users obtain content by visiting nearby edge nodes. Through such a stepping board, IP of the source station can be effectively hidden, thus decomposing the access pressure of the source station. When a large-scale malicious attack comes, the edge node can be used as the first line of defense, which not only greatly disperses the attack intensity, but also completes the edge protection through the above multiple security capabilities.
Ali Cloud CDN also integrates cloud WAF capability to realize the last layer of protection of the source station. WAF will return to the source of the business traffic for malicious characteristics identification and protection, the normal and safe traffic back to the server, and then avoid malicious invasion of the website server, protect the core data security of the enterprise business, solve the server performance problems caused by malicious attacks. CDN WAF provides virtual patches for the latest vulnerabilities exposed to the website, providing the maximum possible quick fix rules, and relying on cloud security, quick vulnerability response and repair.
Tamper-proof capability
Aliyun CDN provides enterprise-level full-link HTTPS+ tamper-proof capability of node content to ensure the transmission security of full-link from the source station to the client. At the link transmission level, HTTPS protocol is used to ensure that the link cannot be hijacked by the intermediate source. Consistency verification can be carried out on the source station files on the node. If the content is found inconsistent, the content will be deleted and retrieved from the source again. The whole solution can guarantee the security of content in the whole link of source station, link end, CDN node and client end, and provide a higher security transmission guarantee.
For large enterprises and other business scenarios with strong security requirements, Ali Cloud CDN provides exclusive resource solutions: enabling customers to achieve physical isolation through security acceleration nodes, completely independent construction, deep integration of security functions, providing advanced and high defense capability of single node; Provide exclusive IP resources to ensure business security risk isolation, will not be affected when others are attacked; Support single user independent scheduling domain, user DNS attacks do not affect each other, DNS Flood protection of one million QPS.
Based on artificial intelligence and massive sample sets, Ali Cloud training recognition model with deep learning, accurately identifies yellow-related scenes in pictures accelerated by CDN, and can provide multi-level recognition and flexible control scheme according to users’ actual control needs. The overall yellow detection accuracy is more than 99%, can replace more than 90% of the manual audit, greatly reducing the risk of violations. By simplifying the security acceleration architecture, the operation and maintenance personnel can more easily carry out one-stop self-service configuration and API control, and realize monitoring and warning of daily attacks, full-link troubleshooting, automatic protection and real-time panoramic data log view. At the same time, the escort and reassurance response system during large-scale events can assist enterprise applications to resist security risks and protect the stability of the system.
Ali Cloud CDN platform has also passed the national information security level protection 2.0 level, ISO9001, PCI-DSS and other compliance certification, in the network security, data security, service security and other aspects of the evaluation has been recognized by the world authority.
Industry application case enterprise website, aviation big promote a low-cost carriers in Asia, at the end of each quarter will hold a large ticket sales promotion activities, with the help of the ali cloud CDN + WAF architecture, can realize the rapid and banned to brush type of request, through the analysis of large presses for a long time the seat during the case, will account for rate pressure to the lower level, Ensure the stability of business revenue. Game companies – games out to sea China game companies out to sea in the army, there is a dark horse to stand out. The enterprise uses Aliyun DCDN to integrate the super-scale user experience, allowing users to replace all the Border Gateway Protocol (BGP) network resources of their source servers with a single operational network, reducing the bandwidth cost of the source servers by more than 50%.
Copyright Notice:The content of this article is contributed by Aliyun real-name registered users, and the copyright belongs to the original author. Aliyun developer community does not own the copyright and does not bear the corresponding legal liability. For specific rules, please refer to User Service Agreement of Alibaba Cloud Developer Community and Guidance on Intellectual Property Protection of Alibaba Cloud Developer Community. If you find any suspected plagiarism in the community, fill in the infringement complaint form to report, once verified, the community will immediately delete the suspected infringing content.