Community Blog CDN Security: Building a Multi-Layer In-depth Protection System on CDN Edge Nodes

CDN Security: Building a Multi-Layer In-depth Protection System on CDN Edge Nodes

This blog shows how to tackle network attacks on CDN edge nodes and manage tampering, attacks, and content.

Five Network Attacks Commonly Seen in Today's Grim Network Security Environment

DDoS Attacks

The Distributed Denial of Service (DDoS) attack has a history of more than 20 years. This simple and straightforward cyber-attack is accomplished by directly congesting the victim's uplink bandwidth with forged packets. As the number of terminals such as Internet of Things (IoT) devices increases, so does the frequency of network attacks. According to a report from Alibaba Cloud Security Center, attacks greater than 100 Gbps became commonplace and those reaching 500 Gbps became prevalent in 2019. When an enterprise is under attack, the uplink bandwidth is jammed and normal requests cannot be received, paralyzing the enterprise's online services. Therefore, DDoS protection is the primary issue enterprises need to invest in to deal with.

HTTP Flood Attack

Compared with forged packets launched by a Layer-4 DDoS attack, an HTTP flood attack depletes the resources, such as CPU and memory, of the compromised server by sending a large number of requests. A common approach is to send requests that require the server to perform database queries, so that the server load and resource consumption will surge, slowing down the server response and even rendering services unavailable.

Web Attacks

Typical web attacks include SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). Unlike DDoS and HTTP flood attacks that send superfluous requests, web attacks exploit the inherent vulnerabilities in web-based design. Once an attack is successful, either the database content of the target website is leaked, or webpages are infected by Trojan viruses. The leaked database content may seriously impact a company's data security, while webpages infected with Trojan horses can tarnish the security reputation of a company and cause the search engine to downgrade the website.

Malicious Crawlers

A report released by Alibaba Cloud Security Center showed that in 2019 malicious crawlers accounted for more than 50% of attacks in industries such as real estate, transportation, games, e-commerce, and online forums. Malicious crawlers steal the core content of a website, such as the commodity prices of E-commerce merchants, and strain the server resources.

Hijacking Attacks

Hijacking attacks are quite common. When a website is hijacked by a third party, traffic to the website is diverted to other websites, which reduces both the traffic and the number of users of the victim website. In addition, for media and government websites, the content tampering may trigger substantial policy risks.

How Can You Tackle Network Attacks on CDN Edge Nodes?

CDN-based Edge Node Security + Anti-DDoS Pro Center Security Architecture

The security architecture of Alibaba Cloud's Content Delivery Network (CDN) uses an edge security protection mechanism built on distributed CDN nodes and works with the Anti-DDoS Pro Scrubbing Center to gain protection, based on our knowledge of in-depth protection.

As shown in the figure, the first layer of protection in the overall security architecture deployed on the global CDN nodes fortifies the edge nodes with greater security capabilities and relies on its multi-layer multi-dimension traffic data statistics and attack detection capabilities to consolidate the data, such as DDoS and HTTP access traffic, to the Security Brain for comprehensive analysis. Defense policies can be dynamically delivered to edge nodes against different levels of attacks. Meanwhile, edge nodes can also automatically defend and clean themselves. In addition, the overall security architecture deploys WAF and tamper protection on the origin nodes and defends against attacks before they reach the origin site. If the origin site only serves the CDN service without being exposed to the public network, the overall architecture also provides CDN-based advanced protection for the origin site to prevent the origin site from being discovered by malicious scanners.

CDN Security Architecture

CDN has a huge number of edge nodes to digest most of the attack traffic via its own scheduling and cleaning features in financial and government situations to resist high-bandwidth and high-volume DDoS attacks. When DDoS attacks become more powerful, the Security Brain uses intelligent scheduling to send attack traffic to advanced protection nodes for scrubbing.

Three Core Features of Alibaba Cloud CDN Security Architecture

On the basis of the preceding CDN security architecture in place, Zhao Wei also describes the three core capabilities of Alibaba Cloud, including Anti-DDoS intelligent scheduling, web protection, and machine traffic management.

1) Anti-DDoS Intelligent Scheduling: Collaborated Mechanism between Multiple Components

Anti-DDoS Intelligent Scheduling is a collaborated mechanism between distributed anti-DDoS protection on edge nodes and high-bandwidth and high-volume Anti-DDoS Pro protection

Anti-DDoS Intelligent Scheduling

The policy of Anti-DDoS Intelligent Scheduling is to distribute business traffic through CDN by default for maximized acceleration and optimal user experience. When high-bandwidth and high-volume DDoS attacks are detected, the Intelligent Scheduling feature determines the severity level and uses Anti-DDoS Pro to scrub DDoS attacks. It also performs local or global scheduling, depending on the magnitude of attacks. When DDoS attacks stop, Intelligent Scheduling automatically routes the business traffic of the Anti-DDoS Pro service back to the CDN edge nodes to resume the usual acceleration as much as possible.

The centerpiece of Anti-DDoS Intelligent Scheduling consists of three components, including edge acceleration, intelligent scheduling, and Tbps-level protection. Adequate DDoS attack detection and intelligent scheduling deployed on the basis of edge acceleration determine whether to clean the attack traffic through Anti-DDoS Pro or Tbps-level protection center. At present, the solution has been adopted by customers that represent the financial industry and the media industry.

2) Web Protection: Eight Layers of Security Features to Filter out Malicious Requests

The web attack protection policy relies on filters by layers to defend against malicious requests. The first layer is access control, which specifies the interception policy for HTTP requests. The second layer is area blocking, which intercepts requests from invalid zones or abnormal regions. The third layer is the IP reputation system, which classifies malicious behaviors and intercepts IP addresses by using the big data profiles on Internet IP addresses that Alibaba Cloud has accumulated over the years. The fourth layer of the blacklist is to intercept certain UA or IP addresses. The preceding four layers are all precise intercepts. The fifth layer is frequency control, which intercepts abnormal relatively high frequency IP addresses. The sixth layer manages machine traffic over the Internet, and blocks malicious crawlers. Layer 7 and layer 8 provide WAF and advanced protection for origin sites.

Web Protection

According to Zhao Wei, CDN edge nodes are closest to Internet users. Among all access requests, some are normal user requests, and others may be crawlers, injections, malicious and cross-site requests. The various layers of protection filter out malicious requests and return the normal requests to the original sites.

3) Machine Traffic Management: Identify Internet Bot traffic and Block Malicious Bot Traffic

The Machine Traffic Management feature is deployed on the edge nodes. When various Internet access enters the CDN edge nodes, Machine Traffic Management extracts the original client information, analyzes and computes the client feature values, and matches and identifies the results with the machine traffic characteristic database built and maintained by Alibaba Cloud Security over the years. Normal access, search engines, and commercial crawlers are expected and acceptable behaviors from websites, while malicious crawlers are intercepted. In terms of coping measures, Machine Traffic Management is less intrusive than the common protective measures embedded in normal webpages and supports relatively smooth access.

The following figure shows a use case. First, the traffic to a domain name is analyzed when the Machine Traffic Management policy is implemented. The pie chart on the left shows a scenario where machine traffic analysis is enabled for a domain name, and more than 82% of the requests are identified to be from malicious crawlers. The line chart on the right shows, after the malicious crawler traffic interception feature is activated for the machine traffic, the peak bandwidth of the domain name decreases by more than 80%.

Machine Traffic Management

A Guide to CDN Security Protection: Managing Tampering, Attacks, and Content

Exclusive Use of CDN Resources Improves Enterprise Security

CDN also provides exclusive resource groups for security-demanding scenarios, such as digital government services and large enterprises. First, CDN allows you to physically isolate secure acceleration nodes and build them independently. It highly integrates security functions and provides single-node, advanced anti-DDoS protection. Second, CDN provides dedicated IP resources to protect your businesses against security risks and prevent attacks on one user from affecting the businesses of other users. Third, CDN supports the independent scheduling of domains by a single user. This means DNS attacks on one user do not affect other users. This allows CDN to defend against DNS flood attacks with millions of QPS.

Production-level Security for Content and Platforms

Compliance of Platform Content

Based on artificial intelligence (AI) and a large number of sample sets, Alibaba Cloud uses deep learning to train a recognition model that can accurately identify pornographic content in images accelerated by CDN. This allows it to provide multi-level identification and flexible management and control solutions based on your needs. CDN's overall pornography detection accuracy exceeds 99%, which allows it to replace manual reviews that only provide 90% accuracy and greatly reduce the risk of violations.

Convenience and Security

By simplifying the security acceleration architecture, CDN allows O&M personnel to easily perform one-stop, self-service configuration, and API control. This allows them to implement routine attack monitoring and alerting, end-to-end troubleshooting, automatic protection, and real-time display of full data logs. At the same time, the escort and major event response system designed for large-scale promotional activities can help enterprises protect their applications against security risks and ensure system stability.

In addition to the aforementioned technologies, CDN has attained classified protection 2.0 level-3, ISO 9001, PCI-DSS, and other certifications. Leading global authorities have recognized its network security, data security, and service security capabilities.

Related Products

Content Delivery Network

A scalable and high-performance content delivery service for accelerated distribution of content to users across the globe. You can use content delivery network (CDN) to deliver content to users from the nodes that are nearest to them, accelerating the response to user requests and increasing the response rate. CDN also resolves the delivery latency problem that is usually caused by distribution, bandwidth, and server performance issues. CDN has been applied in multiple scenarios, including site acceleration, on-demand streaming, and live streaming.

Related Documentation

Get started with Alibaba Cloud CDN

This topic describes how to get started with Alibaba Cloud Content Delivery Network (CDN) to accelerate access to your domain names. To accelerate access to a domain name, you must activate Alibaba Cloud CDN, add the domain name to Alibaba Cloud CDN, and then add a Canonical Name (CNAME) record for the domain name.

Performance indicators of Alibaba Cloud CDN

This topic describes the major performance indicators that are used to evaluate the performance of content delivery before and after a website is connected to Alibaba Cloud Content Delivery Network (CDN). This topic also describes the benefits of Alibaba Cloud CDN.

0 0 0
Share on

Read previous post:

What Is Big Data

Read next post:

What Is Middleware

Alibaba Clouder

2,600 posts | 754 followers

You may also like