How to build the "immunity" of enterprises going overseas? In-depth interpretation of Alibaba Cloud CDN security capabilities
Introduction to With the rapid development and application of information technology, the trend of industry digitization and intelligence is deepening, and enterprise information security and protection have been promoted to unprecedented heights. After more than 10 years of technological development, Alibaba Cloud CDN has gradually built an edge + cloud security network three-dimensional protection system, including full-link secure transmission, edge defense of common attack types, enterprise-level exclusive resource deployment, operation and maintenance, and The content security guarantee mechanism creates a safe network operation environment for enterprises to go overseas.
With the rapid development and application of information technology, the trend of industry digitization and intelligence is deepening, and enterprise information security and protection have been elevated to unprecedented heights. After more than 10 years of technological development, Alibaba Cloud CDN has gradually built an edge + cloud security network three-dimensional protection system, including full-link secure transmission, edge defense of common attack types, enterprise-level exclusive resource deployment, operation and maintenance, and The content security guarantee mechanism creates a safe network operation environment for enterprises to go overseas.
There are two core scenarios in CDN security protection: congested bandwidth and exhausted resources.
For attacks such as congested limited bandwidth entry, essentially hold the traffic. CDN naturally has abundant node resources. It uses a distributed network to distribute attacks to different edge nodes, and at the same time returns to the server after near-source cleaning.
For attacks such as exhausting limited resources, the nature of the attack must be quickly visible and the corresponding characteristics can be blocked. Relying on CDN alone cannot solve the problem particularly effectively. It is necessary to complete intelligent and accurate detection of DDoS attacks through the configuration on the CDN node, and automatically schedule attacks to DDoS high defense for traffic cleaning. At this time, users need to purchase high defense and anti-DDoS products.
An edge security system based on
Based on the edge security system built by Alibaba Cloud CDN, its core capability is still acceleration, but it is more than acceleration. Acceleration is the basis of the overall plan. Relying on the Aliyun site-wide acceleration platform, the site-wide acceleration effect of static and dynamic hybrid sites is improved through core technologies such as automatic dynamic and static separation, intelligent routing and private protocol transmission. On the basis of acceleration, it provides customers with a wealth of security capabilities at the edge application layer, network layer DDoS defense, content tamper resistance, full-link HTTPS transmission, high-availability security, and security compliance. From customer business traffic to CDN The product system, all the way back to the customer's source site, provides security guarantees across the entire link to ensure the safety and acceleration of corporate Internet services.
Edge Security Protection
Alibaba Cloud CDN builds complete enterprise-level edge security capabilities, including DDoS mitigation, WAF, frequency control, IP/regional bans, machine traffic management, precise access control, etc., to achieve full-stack protection from the network layer to the application layer. While not sacrificing website acceleration performance, it fully guarantees the stability and security of customers' online business.
Every year, Alibaba Cloud Security detects that DDoS attacks on the cloud occur nearly a million times. Application layer DDoS (CC attacks) has become a common type of attack, and the attack methods are more varied and complex. At the same time, web application security-related issues still occupy very A large proportion, from the leakage of user information to the revelry of the wool party, is always testing the security level of every industry and every web application. In order to make the network platform that carries data transmission more secure and reliable, Alibaba Cloud CDN has been continuously consolidating its security capabilities.
1. DDoS mitigation
CDN and DDoS high-defense products can realize linkage, and can be distributed through CDN in distribution scenarios. When a DDoS attack occurs, the traffic in the area where the DDoS attack occurs can be dispatched to DDoS High Defense for cleaning, effectively protecting the service quality of the business. The linkage scheme can effectively clean up massive DDoS attacks and perfectly defend against Flood attacks such as SYN, ACK, ICMP, UDP, NTP, SSDP, DNS, etc. At the same time, based on the computing power and deep learning algorithm of the Alibaba Cloud Feitian platform, it intelligently predicts DDoS attacks and smoothly switches to DDoS high defense without affecting business operations.
2. Machine flow management
In the face of malicious crawling by web crawlers, the CDN platform is based on the malicious IP database and malicious fingerprint database deposited by Alibaba Group’s business. It uses machine learning capabilities and customized crawler models that are close to business risks to perform precise countermeasures to reduce the impact of crawlers and automated tools. The impact of website business, to ensure the data security of the enterprise, and to maintain the core business value of the enterprise.
3. Frequency control
When a website suffers a malicious CC attack and the response is slow, the frequency control function can block the request to visit the website in seconds to improve the security of the website. Frequency control protects your website URL from suspicious requests that exceed a set threshold. It supports a wealth of monitoring objects and is equipped with custom rules to define appropriate access thresholds. Once the set request threshold is reached, a custom response will be triggered, and excessively frequent access requests will be processed through diversified methods (such as blocking or inquiries).
4. IP/zone block
Configure IP black and white lists to identify and filter visitor identities, thereby restricting users who access CDN resources and improving CDN security. In addition, you can configure the black and white list of countries to help you block access requests from designated areas with one click, and solve the problem of malicious requests that are frequently occurring in some areas.
5. Precise access control
Allow custom matching conditions and implement precise access control. The matching conditions can check common HTTP fields (such as IP, URL, header, etc.) to meet the customization requirements of business scenarios. This function describes the access request to be captured by supporting rich request fields and defining diversified matching conditions. Once the request is matched, the operations defined by the rule will be triggered, such as inquiry, observation, blocking, etc., to achieve precise access access.
Due to the distributed architecture of CDN, users obtain content by visiting nearby edge nodes. Through such a springboard, the source site IP is effectively hidden, thereby decomposing the source site's access pressure. When a large-scale malicious attack strikes, edge nodes can be used as the first line of defense, which not only greatly disperses the attack intensity, but also completes edge protection through the above-mentioned multiple security capabilities.
Alibaba Cloud CDN also integrates cloud WAF capabilities to achieve the last layer of protection at the origin site. WAF will identify and protect the malicious characteristics of back-to-origin business traffic, and return normal and safe traffic to the server to prevent malicious intrusion of the website server, ensure the security of the core data of the enterprise business, and solve the abnormal server performance caused by malicious attacks. problem. CDN WAF provides virtual patches, provides quick fix rules to the greatest possible extent for the latest vulnerabilities exposed on the website, and relies on cloud security to quickly implement vulnerability responses and repairs.
Alibaba Cloud CDN provides enterprise-level full-link HTTPS+ node content anti-tampering capabilities to ensure the security of the customer's full-link transmission from the source site to the client. At the link transmission level, the HTTPS protocol ensures that the link cannot be hijacked by the intermediate source. The source site files can be verified for consistency on the node. If the content is found to be inconsistent, the content will be deleted and pulled back to the source. To distribute. The whole set of solutions can ensure the security of content on the entire link of the source site, link end, CDN node, and client, and provide higher security transmission guarantee.
Exclusive resource sharing improves corporate safety factor
For business scenarios with strong security requirements such as large enterprises, Alibaba Cloud CDN provides exclusive resource solutions:
Support customers to achieve physical isolation through security acceleration nodes, completely separate construction, deep integration of security functions, and provide single-node advanced high-defense capabilities;
Provide exclusive IP resources to ensure business security risk isolation and will not be affected when others are attacked;
Support single user independent scheduling domain, DNS attacks between users do not affect each other, DNS Flood protection of millions of QPS.
Adhere to the bottom line of "production" safety of content and platform
Based on artificial intelligence and massive sample sets, Alibaba Cloud trains recognition models through deep learning, accurately recognizes pornographic scenes in images accelerated by CDN, and can provide multi-level recognition and flexible control solutions based on users' actual control needs. The overall pornography accuracy rate exceeds 99%, which can replace more than 90% of manual audits, greatly reducing the risk of violations.
By simplifying the security acceleration architecture, operation and maintenance personnel can more conveniently perform one-stop self-service configuration and API management and control, and realize daily attack monitoring and alarm, full-link investigation, automatic protection, and real-time panoramic data log viewing. At the same time, the escort and reinsurance response system during large-scale events can assist enterprise applications to resist security risks and protect the stability of the system.
The Alibaba Cloud CDN platform has also passed the national information security level protection 2.0 level three, ISO9001, PCI-DSS and other compliance certifications, and has been recognized by world authorities in terms of network security, data security, and service security.
industry application case
Corporate Website-Aviation Promotion
A low-cost airline in Asia will hold a large-scale ticket promotion event every quarter. With the aid of the Alibaba Cloud CDN+WAF architecture, it can quickly ban ticket-swiping requests. Through long-term continuous analysis of the seat occupation during the big promotion period, The seat occupancy rate has been reduced to a relatively low level to ensure the stability of business revenue.
Game company-games going to sea
Among the Chinese game companies going to sea, there is a dark horse that stands out. This company uses Alibaba Cloud DCDN to integrate a super-large-scale user experience, allowing users to replace all Border Gateway Protocol (BGP) network resources of their origin servers with a single operating network, reducing the bandwidth costs of origin servers by more than 50%.
Copyright Statement: content of this article is contributed spontaneously by Alibaba Cloud real-name registered users. The copyright belongs to the original author. The Alibaba Cloud Developer Community does not own its copyright and does not assume corresponding legal responsibilities. For specific rules, please refer to the "Alibaba Cloud Developer Community User Service Agreement" and the "Alibaba Cloud Developer Community Intellectual Property Protection Guidelines". If you find suspected plagiarism in this community, fill in the infringement complaint form to report it. Once verified, the community will immediately delete the suspected infringing content.