×
Community Blog Empower Online Businesses with Alibaba Cloud Anti-DDoS, WAF, CDN and Cloud Firewall

Empower Online Businesses with Alibaba Cloud Anti-DDoS, WAF, CDN and Cloud Firewall

This blog presents a step-by-step guide for securing your online business with Alibaba Cloud CDN and security products.

By Leaf Ye, Alibaba Cloud Solution Architect

In this blog, we'll discuss in detail on the steps required to secure your online business with Alibaba Cloud CDN and security products.

Solution Description

1

The rapid growth of innovative technologies has brought about new opportunities for online businesses around the world. People today are not only used to, but also rely on the internet to carry out their daily lives, including shopping, playing games, watching movies, and almost everything else. Globally, Internet traffic will grow 3.2-fold from 2016 to 2021, a compound annual growth rate of 26%. The growth of e-commerce in the US jumped by more than 30% in 2020, accelerating the shift to online shopping by nearly 2 years.

However, this has also introduced new challenges for enterprises when scaling up/out to meet the requirements. Online business owners are closely monitoring their websites because any negative result of page load time will impact conversation rate. Improving website performance is an always-on task for DevOps team.

As online businesses become more advanced, it is important to continually work with the security threats coming with it. Here are the top 5 security threats to online business:

  • DDoS attacks
  • Credit Card frauds
  • Malware
  • Bad bots
  • E-skimming

Managed security and faster performance are what online business is investing heavily today to protect and drive more business success.

This article shares a step-by-step instruction on how to use Alibaba Cloud Anti-DDoS Pro, Web Application Firewall (WAF) , and Cloud Firewall together to protect your online business. We will also discuss how to use Alibaba Cloud CDN to improve website performance at the same time.

Multi-Layer Protections

Alibaba Cloud has multiple security products that you can choose from to protect your online business. In this article, we will show you how to setup Anti-DDoS, WAF, and Cloud Firewall together while enabling CDN at the same time to accelerate online business end user experience.

Customers sometimes are unsure about the sequence of the setup. We recommend the multi-layer setup as showed in the solution diagram:

  1. Anti-DDoS Pro is the outermost protection of all. Anti-DDoS can be enabled in two modes. One is always-on mode which means all traffic is directed to Anti-DDoS scrubbing center first and clean traffic goes back to website origin server. The other mode is standby mode which customer can enable manually when attacks are discovered or watch mode which automatically trigger the traffic redirection by using Alibaba Cloud interaction between Anti-DDoS and CDN service. In the following step-by-step guide, we show you how to setup watch mode. You can reference it when you work on always-on mode or standby mode. The difference is you manually manage the DNS CNAME configuration. Alibaba Cloud Anti-DDoS is defending against 50% DDoS attacks in China.
  2. Clean request traffic after Anti-DDoS scrubbing center goes to CDN node next. If the requested content is cached in CDN node, then CDN node will respond to end user directly. This could improve page load time significantly. If there is no content cache in CDN node or the content is dynamic and request has to go back to website origin, CDN node will transfer request to next CDN node or to origin according to the configured CDN structure. Alibaba Cloud transforms the TCP protocol stack to improve the reliability of real-time data transmission. It also implements intelligent route switching in seconds to avoid packet loss during data transmission. Alibaba Cloud CDN is one of the top CDN suppliers in China and Asia.
  3. WAF protection is the next layer protection for online business. WAF mitigates HTTP flood attacks and filter out malicious bot traffic to ensure the performance of website origin server. It is also a tool for business risk control to address security risks, such as abusing of business APIs. Alibaba Cloud WAF won the recognition of Gartner, Forrester, IDC, and Frost & Sullivan, the top 4 research companies, for its strengths in proactive defense and machine learning-based detection. It has 49% market share in Greater China.
  4. If your origin server was built in Alibaba Cloud, you can use multiple security products from Alibaba Cloud to secure infrastructure of your origin server. Alibaba Cloud Firewall centrally manages the policies that control the traffic from the Internet to your businesses. It also controls the traffic between VPC networks, the traffic on Express Connect instances, and the traffic generated by VPN-based remote access. Cloud Firewall is embedded with an Intrusion Prevention System (IPS) and can detect outbound connections from your assets. Alibaba Cloud Firewall can also visualize network traffic and access between businesses as well as can store network traffic logs generated within the latest six months.

Let us start to build these multi-layer protections.

Step 1: Configure firewall protection before origin server

Firewall protection between your internal network and internet is essential and is the first layer of protection for your origin server.

If you setup your origin server in Alibaba Cloud, you can configure security group for origin server which you can control inbound and outbound ports on origin server. Here are the best practices of security group, https://www.alibabacloud.com/help/doc-detail/51170.htm

Cloud Firewall provides the Internet firewall to control the traffic at the Internet boundaries, VPC firewalls to control the traffic between VPCs, and internal firewalls to control the traffic between ECS instances. You can use Cloud firewall to centrally manage security group policies and has visualization of traffic between security groups.

1.1 Purchase Cloud Firewall.

1.2 Enable the Cloud Firewall service on the Firewalls page.

2

1.3 Click Create Policy in the upper-right corner of the Access Control page to Configure access control policies.

3

1.4 Configure intrusion prevention policies on the Intrusion Prevention page.

4

1.5 View traffic analysis on the Traffic Analysis page. You can check traffic analysis on external connections, internet access, VPC access, intrusion detection, IPS analysis and all access activities.

5

Step 2: Configure WAF

2.1 Purchase WAF

There are four editions for WAF - Pro, Business, Enterprise and Exclusive edition. Capacity and features are different for each edition.

This table below is about capacity difference between four editions.

6

For feature difference, please refer to this document, https://www.alibabacloud.com/help/doc-detail/58487.htm

2.2 Add a website to WAF

To add a website to WAF, you must add the domain name of the website to the WAF console and change the DNS record to redirect the traffic destined for the website to WAF for protection.

7

Add your origin server IP or load balancer IP as the 'Destination Server'

Check 'Yes' for question of 'Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF'. We will configure CDN and Anti-DDoS in the next steps.

2.3 Configure WAF protection policy

WAF provides multiple protection features to protect your websites against different types of attacks. Among the features, only RegEx Protection Engine and HTTP Flood Protection are enabled by default. The RegEx Protection Engine feature protects your websites against common web attacks, such as SQL injection, XSS, and webshell upload. The HTTP Flood Protection feature protects your websites against HTTP flood attacks. You need to manually enable other features and configure protection rules. For more information, check details at https://www.alibabacloud.com/help/doc-detail/173612.htm

2.4 Enable WAF for the website

Change the DNS record of the domain name to map the domain name to the CNAME address assigned by WAF.

You can make this DNS change to verify WAF working properly. Since we will configure CDN in next step to connect to WAF service, we don't need this DNS change after verifying WAF function.

Step 3: Configure CDN

In this instruction, we configure CDN to improve website performance. CDN uses WAF CNAME we configured in the last step as the origin.

3.1 Purchase CDN

You must complete real-name registration before using CDN service.

8

3.2 Verify the ownership of a domain name

The first time a domain name is added to Alibaba Cloud Content Delivery Network (CDN), Alibaba Cloud CDN verifies the ownership of the domain name. If you pass the verification process, Alibaba Cloud CDN identifies you as the owner of the domain name. If you add the domain name to Alibaba Cloud CDN again or add its subdomain names to Alibaba Cloud CDN, the ownership verification process is not needed. You can use a Domain Name System (DNS) record or upload the verification file to prove the ownership. In the following example, a.com is used to demonstrate how to prove the ownership of a domain name.

3.3 Add domain name to CDN

9

Choose to use Site Domain at 'origin Info' which is the WAF CNAME we configured in the last step.

To accelerate in region 'Mainland China Only' and 'Global', your domain must have a valid ICP filing.

3.4 Enable CDN for the domain

After you add a domain name to Alibaba Cloud Content Delivery Network (CDN), Alibaba Cloud CDN assigns a canonical name (CNAME) to the domain name. To enable the Alibaba Cloud CDN service for the domain name, you must add a CNAME record to map the domain name to the CNAME. This way, requests that are sent to the domain name can be redirected to CDN nodes.

You can make this DNS change to verify CDN working properly. Since we will configure Anti-DDoS in next step to connect to Anti-DDoS service, we don't need this DNS change after verifying CDN function.

Step 4: Configure Anti-DDoS Pro

Alibaba Cloud offers multiple anti-DDoS products. In the table below, you can find the products and their major difference.

10

Anti-DDoS Origin is a Cloud native protection which you can enable without the efforts to redirect traffic outside to scrubbing center. It is the most convenient and recommended protection. Anti-DDoS origin BGP diversion is the most powerful tool when you are facing volumetric attack and in-place protection from Anti-DDoS origin cannot protect against the attacking bandwidth. Customer can use BGP announcement to reroute traffic to Alibaba Cloud scrubbing center.

Anti-DDoS service is regular service which use DNS redirect to reroute traffic to Alibaba Cloud scrubbing center. There are two version of Anti-DDoS service. Service area for Anti-DDoS Pro is Mainland China and service area for Anti-DDoS Premium is outside of Mainland China. Alibaba Cloud scrubbing center has 10 Tbps capacity.

In this instruction, we choose to use Anti-DDoS Pro service as our website origin is built in VPC in Mainland China and majority end users are from Mainland China.

4.1 Purchase Anti-DDoS Pro

Logon to Alibaba Cloud Console, search 'Anti-DDoS Pro' at Products and Services and go to Anti-DDoS Pro console. Under Assets -> Instances, click Purchase Instances.

11

You need to choose the followings to make the purchase:

  1. Basic protection - this is the basic mitigation capacity which you prepay to get the right size of protection.
  2. Burstable protection - this is the maximum mitigation capacity you get.
  3. Business scale - this is the bandwidth capacity of your online business.
  4. Standard function or enhanced function
  5. Number of domains to be protected
  6. Clean QPS
  7. Number of Ports to be protected

4.2 Add your domains into protection

Go to Anti-DDoS Pro console and click Website Config under Provisioning, click Add Domain.

You need to choose function plan first, according to the table below.

12

Detail instruction on how to add domains can be found https://www.alibabacloud.com/help/doc-detail/143347.htm

Choose 'Origin Server Domain' as Server IP and use CDN CNAME which we configured in last step as the domain name.

13

4.3 (Optional) For non-web-based application, create port forwarding rule. https://www.alibabacloud.com/help/doc-detail/143349.htm

4.4 Configure protection policies, general policies and custom policies. https://www.alibabacloud.com/help/doc-detail/116704.htm

4.5 Reroute traffic to Anti-DDoS scrubbing center. If you want to use always-on mode of Anti-DDoS service, you can change your domain CNAME DNS record by using Anti-DDoS CNAME. You can also choose to make the change when attacks occur which is called standby mode.

If your origin server uses Alibaba Cloud service, like Elastic IP and CDN, you can use Sec-Traffic Manger to manage automatic Anti-DDoS protection when needed.

In this instruction, we have CDN enabled and we choose to use watch mode. We use Sec-Traffic Manager to enable interactions between Anti-DDoS Pro and CDN. If no attacks occur, normal traffic is directly forwarded to CDN service without increasing latency. If attacks occur, traffic is switched to Anti-DDoS Pro for scrubbing and forwarding.

As showed in below screenshot, Anti-DDoS can be triggered when request per second to CDN service is over 1000.

14

Then we change the domain DNS CNAME to Sec-Traffic Manager CNAME as showed in the screenshot below.

15

So, we have finished the configuration of this multi-layer protection solution which use Cloud firewall, WAF, CDN and Anti-DDoS together. In your real project, you can choose use all of the protections or some of the protections. Please let us know if you have any comments to this step-by-step guide.

0 2 0
Share on

Alibaba Clouder

2,599 posts | 758 followers

You may also like

Comments