×
Community Blog Improving "Immunity" for Enterprises to Enter Foreign Markets – An Analysis of Alibaba Cloud CDN Security Capabilities

Improving "Immunity" for Enterprises to Enter Foreign Markets – An Analysis of Alibaba Cloud CDN Security Capabilities

This article analyzes the security capabilities of Alibaba Cloud CDN in different scenarios.

By Alibaba Cloud CDN Team

The trends of industrial digitization and intellectualization are deepening day by day with the rapid development and application of information technology. The information security and protection of enterprises have risen to an unprecedented level.

After more than ten years of technical development, Alibaba Cloud CDN has gradually built a secure network protection system that combines edge and cloud features. These features include full-procedure secure transmission, edge defense against common attacks, and enterprise-level dedicated resource deployment, O&M, and content security protection mechanisms. With these features, Alibaba Cloud CDN builds a secure network operation environment for enterprises to enter foreign markets.

Two core scenarios exist for CDN security protection: bandwidth congestion and resource exhaustion.

  • For attack scenarios, such as congestion of limited bandwidth, the traffic needs to be held. CDN is rich in node resources. A distributed network can spread attacks to different edge nodes and send the malicious traffic back to the server after scrubbing.
  • For attack scenarios, such as exhaustion of limited resources, it is necessary to see the attacks quickly and block the corresponding features. CDN alone cannot solve this problem efficiently. Users must configure the CDN node to detect DDoS attacks accurately and schedule the attacks automatically to Anti-DDoS Premium for traffic scrubbing. So, users need to purchase Anti-DDoS Premium.

Edge Security System Based on Alibaba Cloud CDN and Cloud Security

1

The core of an edge security system built based on Alibaba Cloud CDN is more than acceleration only. Acceleration is the foundation of the overall solution. Relying on Alibaba Cloud Dynamic Route for CDN (DCDN), the acceleration effect of static and dynamic hybrid sites is improved through core technologies, such as automatic static/dynamic separation, intelligent routing, and private protocol transmission.

Based on the acceleration, the system offers customers security capabilities in six aspects: edge application layer security, network layer DDoS defense, content anti-tampering, full-procedure HTTPS transmission, high availability security, and security compliance. The system ensures the security for the entire procedure from the customer's business traffic into the CDN product system and back to the customer's origin server. Thus, it ensures the security acceleration of enterprise Internet businesses.

Edge Security Protection

Alibaba Cloud CDN builds a full set of enterprise-level edge security capabilities, including DDoS mitigation, WAF, frequency control, IP/region blocking, machine traffic management, and precise access control, providing full-stack protection from the network layer to the application layer. This ensures the stability and security of customers' online services without sacrificing the acceleration performance of websites.

Each year, the Alibaba Cloud Security Center detects nearly one million DDoS attacks on the cloud. Application-layer DDoS (CC attacks) has become a common type of attack, with more varied and complex attack methods. Issues related to web application security still account for a large proportion. From the disclosure of user information to consumer carnival, the security level of every industry and every web application is being tested all the time. To increase the security and reliability of network platforms that host data transmission, Alibaba Cloud CDN constantly works to increase its security capabilities.

1. DDoS Mitigation

CDN and Anti-DDoS Premium can be used together to deliver content. When a DDoS attack occurs, the traffic in areas where DDoS attacks occur can be scheduled to Anti-DDoS Premium, which scrubs the traffic and protects the quality of your services effectively. This coordinated solution can effectively scrub high-volume DDoS traffic and defend against flood-type attacks, such as SYN, ACK, ICMP, UDP, NTP, SSDP, and DNS. In addition, based on the computing capabilities and deep learning algorithms of the Alibaba Cloud Apsara platform, intelligent DDoS attack prediction is used to switch traffic over to Anti-DDoS Premium smoothly without affecting business operation.

2. Bot Traffic Management

CDN uses the malicious IP and fingerprint libraries built by Alibaba Group to deal with malicious web crawlers. It uses machine learning capabilities tailored to business risks and customized crawler models to mitigate the impact of web crawlers and automated tools on website businesses. This ensures data security and protects the core business value of enterprises.

3. Frequency Limiting

When the response time of your website is increased due to CC attacks, the frequency limiting feature can block specific requests sent to your website within seconds and improve the security of your website. Frequency limiting protects your website URL from suspicious requests that exceed a set threshold. It supports a wide variety of monitoring objects and is configured with custom rules to define an appropriate access threshold. Once the set request threshold is reached, custom responses are triggered, and frequent access requests are handled through a variety of means, such as blocking or challenging.

4. IP/Geo-Blocking

Alibaba Cloud CDN allows you to configure an IP address blacklist or whitelist to identify and filter users. This helps you control access to CDN resources and improve resource security. You can also use the country blacklist and whitelist to block access requests from specific regions and resolve the highly frequent malicious access requests in some regions.

5. Precise Access Control

Custom match conditions are enabled to implement precise access control. The matching condition can check common HTTP fields, such as IP, URL, and header, to meet the customized requirements of business scenarios. This function describes the access requests to be captured by supporting rich request fields and defining various matching conditions. Once a request is matched, the operations defined in the rule are triggered to achieve precise access control, such as challenging, observing, and blocking.

6. WAF

Due to CDN's distributed architecture, users can obtain content by accessing a nearby edge node, which effectively hides the origin IP address and mitigates the access pressure on the origin server. When large-scale malicious attacks strike, edge nodes can be used as the first line of defense. This disperses the attack intensity and completes edge protection using the preceding security capabilities.

CDN also integrates the cloud WAF capability to implement the last-layer protection for the origin server. WAF performs malicious feature identification and protection on the back-to-origin business traffic. It also forwards normal traffic back to the server to avoid malicious intrusion against the website server, ensure the security of the core data of the enterprise's business, and resolve server performance exceptions caused by malicious attacks. CDN WAF provides virtual patches to fix the latest known website vulnerabilities to the maximum extent. CDN WAF can respond and fix vulnerabilities quickly by relying on cloud security.

Tampering Prevention Capability

CDN provides enterprise-level full-procedure tampering prevention capabilities for HTTPS links and node content to ensure transmission security between the origin server and the client. The HTTPS protocol protects links from being hijacked by intermediate sources, whereas the nodes verify the consistency of the source file. If the content of the source file is deemed inconsistent, the file will be deleted. Then, its original copy will be pulled from the source before being distributed. This complete solution ensures content security on the origin server, links, CDN nodes, and clients, providing higher transmission security.

2

Exclusive CDN Resources to Improve Enterprise Security

CDN also provides exclusive resources for large enterprises in security-demanding scenarios:

  • CDN allows you to physically isolate secure acceleration nodes and build them independently. It highly integrates security functions and provides single-node, advanced anti-DDoS protection.
  • CDN provides exclusive IP resources to protect your businesses against security risks and prevent the impact of attacks on other users' businesses.
  • CDN supports the independent scheduling of domains by a single user. This means DNS attacks on one user do not affect other users. It allows CDN to defend against DNS Flood-type attacks with millions of QPS.

Assurance for Content and Platform "Production" Security Baseline

Compliance of Platform Content

Based on AI and a large number of sample sets, Alibaba Cloud CDN uses deep learning to train a recognition model that can identify indecent and explicit content in accelerated images accurately. Multi-level identification and flexible management and control solutions are supported for selection based on your needs. The overall detection accuracy of CDN exceeds 99%. CDN can replace 90% of manual reviews and reduce the risk of violations significantly.

Convenience and Security in O&M

By simplifying the security acceleration architecture, CDN allows O&M personnel to perform the all-in-one self-service configuration and API control. This allows them to implement routine attack monitoring and alerting, full-procedure troubleshooting, automatic protection, and real-time viewing of full data logs. At the same time, the escort and major event response system designed for large-scale promotional activities can help enterprises protect their applications against security risks and ensure system stability.

In addition to the technologies mentioned above, CDN is compliant with Level 3 of GB/T 22239-2019, ISO9001, PCI-DSS, and other standards. Its network security, data security, and service security capabilities have been recognized by leading global authorities.

Industry Application Cases

Enterprise Website: Aviation Promotion

A well-known airlines in Asia holds a large ticket sales promotion each quarter. The airline can block malicious ticket requests quickly with Alibaba Cloud CDN and WAF. Through long-term and continuous analysis of seat occupancy during the promotion period, the pressure of seat occupation rates is reduced to a relatively low level to ensure stable revenue for the airline.

Gaming Company: New Game Entering Foreign Markets

This company is a dark horse among all other Chinese gaming companies that enter foreign markets. This enterprise uses Alibaba Cloud DCDN to integrate an ultra-large user experience, allowing users to replace all Border Gateway Protocol (BGP) network resources of their source servers with a single operating network. The bandwidth cost of the source server is reduced by more than 50%.

Additional Resources

If you want to learn more, you can hear what Shen Zhenhui, an expert on Alibaba Cloud intelligence products, has to say about this in his session at the Alibaba Cloud Summit 2021: Accelerating Business with New Native Security in CDN

You can also learn more about Alibaba Cloud secure DCDN solution at: https://www.alibabacloud.com/solutions/content-delivery/secure-dcdn

Disclaimer: The views expressed herein are for reference only and don't necessarily represent the official views of Alibaba Cloud.

0 0 0
Share on

Alibaba Clouder

2,599 posts | 764 followers

You may also like

Comments

Alibaba Clouder

2,599 posts | 764 followers

Related Products