Analysis of Alibaba Cloud CDN Security Capabilities
Created#More Posted time:Jul 16, 2021 23:38 PM
After more than ten years of technical development, Alibaba Cloud CDN has gradually built a secure network protection system that combines edge and cloud features. These features include full-procedure secure transmission, edge defense against common attacks, and enterprise-level dedicated resource deployment, O&M, and content security protection mechanisms. With these features, Alibaba Cloud CDN builds a secure network operation environment for enterprises to enter foreign markets.
Two core scenarios exist for CDN security protection: bandwidth congestion and resource exhaustion.
Edge Security System Based on Alibaba Cloud CDN and Cloud Security
The core of an edge security system built based on Alibaba Cloud CDN is more than acceleration only. Acceleration is the foundation of the overall solution. Relying on Alibaba Cloud Dynamic Route for CDN (DCDN), the acceleration effect of static and dynamic hybrid sites is improved through core technologies, such as automatic static/dynamic separation, intelligent routing, and private protocol transmission.
Based on the acceleration, the system offers customers security capabilities in six aspects: edge application layer security, network layer DDoS defense, content anti-tampering, full-procedure HTTPS transmission, high availability security, and security compliance. The system ensures the security for the entire procedure from the customer's business traffic into the CDN product system and back to the customer's origin server. Thus, it ensures the security acceleration of enterprise Internet businesses.
Edge Security Protection
Alibaba Cloud CDN builds a full set of enterprise-level edge security capabilities, including DDoS mitigation, WAF, frequency control, IP/region blocking, machine traffic management, and precise access control, providing full-stack protection from the network layer to the application layer. This ensures the stability and security of customers' online services without sacrificing the acceleration performance of websites.
Each year, the Alibaba Cloud Security Center detects nearly one million DDoS attacks on the cloud. Application-layer DDoS (CC attacks) has become a common type of attack, with more varied and complex attack methods. Issues related to web application security still account for a large proportion. From the disclosure of user information to consumer carnival, the security level of every industry and every web application is being tested all the time. To increase the security and reliability of network platforms that host data transmission, Alibaba Cloud CDN constantly works to increase its security capabilities.
1. DDoS Mitigation
CDN and Anti-DDoS Premium can be used together to deliver content. When a DDoS attack occurs, the traffic in areas where DDoS attacks occur can be scheduled to Anti-DDoS Premium, which scrubs the traffic and protects the quality of your services effectively. This coordinated solution can effectively scrub high-volume DDoS traffic and defend against flood-type attacks, such as SYN, ACK, ICMP, UDP, NTP, SSDP, and DNS. In addition, based on the computing capabilities and deep learning algorithms of the Alibaba Cloud Apsara platform, intelligent DDoS attack prediction is used to switch traffic over to Anti-DDoS Premium smoothly without affecting business operation.
2. Bot Traffic Management
CDN uses the malicious IP and fingerprint libraries built by Alibaba Group to deal with malicious web crawlers. It uses machine learning capabilities tailored to business risks and customized crawler models to mitigate the impact of web crawlers and automated tools on website businesses. This ensures data security and protects the core business value of enterprises.
3. Frequency Limiting
When the response time of your website is increased due to CC attacks, the frequency limiting feature can block specific requests sent to your website within seconds and improve the security of your website. Frequency limiting protects your website URL from suspicious requests that exceed a set threshold. It supports a wide variety of monitoring objects and is configured with custom rules to define an appropriate access threshold. Once the set request threshold is reached, custom responses are triggered, and frequent access requests are handled through a variety of means, such as blocking or challenging.
Alibaba Cloud CDN allows you to configure an IP address blacklist or whitelist to identify and filter users. This helps you control access to CDN resources and improve resource security. You can also use the country blacklist and whitelist to block access requests from specific regions and resolve the highly frequent malicious access requests in some regions.
5. Precise Access Control
Custom match conditions are enabled to implement precise access control. The matching condition can check common HTTP fields, such as IP, URL, and header, to meet the customized requirements of business scenarios. This function describes the access requests to be captured by supporting rich request fields and defining various matching conditions. Once a request is matched, the operations defined in the rule are triggered to achieve precise access control, such as challenging, observing, and blocking.
Due to CDN's distributed architecture, users can obtain content by accessing a nearby edge node, which effectively hides the origin IP address and mitigates the access pressure on the origin server. When large-scale malicious attacks strike, edge nodes can be used as the first line of defense. This disperses the attack intensity and completes edge protection using the preceding security capabilities.
CDN also integrates the cloud WAF capability to implement the last-layer protection for the origin server. WAF performs malicious feature identification and protection on the back-to-origin business traffic. It also forwards normal traffic back to the server to avoid malicious intrusion against the website server, ensure the security of the core data of the enterprise's business, and resolve server performance exceptions caused by malicious attacks. CDN WAF provides virtual patches to fix the latest known website vulnerabilities to the maximum extent. CDN WAF can respond and fix vulnerabilities quickly by relying on cloud security.
Tampering Prevention Capability
CDN provides enterprise-level full-procedure tampering prevention capabilities for HTTPS links and node content to ensure transmission security between the origin server and the client. The HTTPS protocol protects links from being hijacked by intermediate sources, whereas the nodes verify the consistency of the source file. If the content of the source file is deemed inconsistent, the file will be deleted. Then, its original copy will be pulled from the source before being distributed. This complete solution ensures content security on the origin server, links, CDN nodes, and clients, providing higher transmission security.
Exclusive CDN Resources to Improve Enterprise Security
CDN also provides exclusive resources for large enterprises in security-demanding scenarios: