If your domain name is attacked or abused for data transmission, high bandwidth consumption or traffic spikes occur. In this case, you receive bills that are higher than expected. High bills that are generated by malicious attacks or data transmission abuse cannot be waived or refunded. This topic describes how to prevent data transmission abuse.
Minimize losses at the earliest opportunity
If your domain name is attacked or abused for data transmission, and you receive bills that are higher than expected, you need to specify a bandwidth cap and configure traffic throttling for individual requests to reduce further losses. Then, you can analyze the logs and configure security settings accordingly.
Limit bandwidth usage
You can specify a bandwidth cap to limit the amount of bandwidth resources that can be consumed. If the average bandwidth value of a domain name in a statistical period (1 minute) reaches the specified bandwidth cap, the system suspends Alibaba Cloud CDN services for the domain name and resolves the domain name to offline.***.com, which is considered invalid. In this case, the domain name becomes inaccessible. Therefore, you can reserve extra space based on your daily peak bandwidth when specify a bandwidth cap. For more information, see Configure bandwidth caps.
Limit the downstream speed
Traffic throttling for individual requests limits the downstream speed of each request between POPs and clients. This way, you can limit the overall peak bandwidth of the accelerated domain name. For more information, see Configure traffic throttling for individual requests.
Troubleshooting
Query billing details to locate the time period during which traffic is abnormal
You can view the billing details of cloud services on the Billing Details tab. Select a statistical dimension and a statistical period to view reports based on different dimensions. For more information, see Billing details.
Select CDN from the Product drop-down list, set Statistic Period to Billing Period, review the bills, and pay attention to the abnormal increase in traffic and bandwidth, and the time period during which traffic is abnormal. For more information, see Query bills.
Check logs to identify abnormal traffic
Basic query: offline logs
You can download offline logs to view the access logs of the relevant time period, analyze the details of HTTP requests, and identify suspicious IP addresses and User-Agent headers. Offline logs contain a small number of fields. If you want to view more detailed data, you can use the real-time logs feature.
After you obtain offline logs, you can use command-line interfaces (CLIs) to parse logs and extract information such as the top 10 IP addresses or User-Agent headers. For more information, see Analysis Method of Alibaba Cloud Content Delivery Network Access Log.
Advanced query: operations reports and real-time logs
You need to create a custom operations report to generate statistical data for analysis. If you have configured real-time log delivery or subscribed to operations reports, you can view logs of the corresponding periods. The operations report feature is provided by Alibaba Cloud CDN and is free of charge.
You need to activate Simple Log Service (SLS) and deliver logs before real-time logs are generated. Real-time logs is a paid feature. For more information, see Billing rules.
You need to configure real-time logs and operations reports before you can use real-time logs and operations report for troubleshooting. Otherwise, you can use only offline logs to analyze historical data.
After you create a custom operations report, you can view the following metrics: PV/UV, Regions and ISPs, Domain Name Ranking, Popular Referer Headers, Popular URLs, Popular Origin URLs, and Top Client IPs. For more information, see Create a custom operations report and a tracking task.
If you want to query more information, such as Referer headers and URIs, you need to activate SLS to deliver collected real-time logs to SLS. After you enable the real-time log delivery feature, you are charged for log entries that are delivered to SLS.
Configure real-time log delivery for the domain name for which you want to analyze the user access data. For more information, see Real-time log delivery.
On the Real-time Logs page, find the project whose logs you want to analyze and click Log analysis in the Actions column.
On the log analysis page, select a time period in the upper-right corner, click the Raw Logs tab, and find the
refer_domainfield. You can view the Referer headers in descending order.
Solutions
After you obtain logs or report data, you can analyze the attack types based on data features. In most cases, you can analyze the top information, such as top IP addresses, top User-Agent headers, and top Referer headers, to extract features.
Restrict access from suspicious IP addresses
You can configure an IP address blacklist to restrict access from specific IP addresses. After you analyze the logs and identify some suspicious attack IP addresses, you need to add the IP addresses to the blacklist. For more information, see Configure an IP address blacklist or whitelist.
Filter suspicious User-Agent headers
Attackers attempt to bypass security checks by using forged User-Agent headers to send a large number of requests. A forged User-Agent header may be a null value, a random string, or a forged string for common browsers. You can configure a User-Agent whitelist or blacklist to reject requests that contain an abnormal User-Agent header. For example, you can use the this-is-empty-ua and RandomString parameters to reject User-Agent headers that are empty or contain invalid random strings. For more information, see Configure a User-Agent blacklist or whitelist.
Add suspicious Referer headers to the blacklist
Attackers forge Referer headers in requests to impersonate legitimate reference sources and initiate malicious requests. You can configure a Referer blacklist or whitelist to allow requests that contain legitimate Referer headers, prevent links to resources from unauthorized third-party websites, and reject requests that contain malicious Referer headers. In the Rules field, enter the abnormal Referer headers that are found from logs. We recommend that you select Ignore Scheme in Advanced Settings. For more information, see Configure a Referer whitelist or blacklist to enable hotlink protection.
Upgrade from Alibaba Cloud CDN to DCDN and enable the WAF feature
We recommend that you upgrade from Alibaba Cloud CDN to Dynamic Content Delivery Network (DCDN) for your domain name and enable the Web Application Firewall (WAF) feature. DCDN provides application acceleration, edge computing, and security protection capabilities. WAF allows you to configure protection rules, such as IP address blacklist and whitelist, rate limiting, bot management, HTTP flood protection, and region blacklist, to block malicious requests and prevent high bills for abnormal traffic.
Upgrade to DCDN for your domain name. For more information, see Upgrade from Alibaba Cloud CDN to DCDN for your domain name. Alibaba Cloud CDN charges the fees that are generated before the upgrade. DCDN charges the fees that are generated after the upgrade.
After you upgrade to DCDN, enable WAF. For more information, see Enable WAF.
Purchase a WAF resource plan. WAF uses security capacity units (SeCUs) as the billing unit and supports the pay-as-you-go and subscription billing methods. For more information, see Billing of WAF (new version).
NoteTo purchase a WAF plan (new version), go to the buy page.
Configure HTTP flood protection
For more information, see Configure custom protection policies.
A sudden increase in API calls triggers an alert. In real-time logs, an operation is called more than 3,000 times from an IP address in 60 seconds during an attack period. When the domain name is not attacked, an operation is called up to 100 times from an IP address in 60 seconds during a normal period. You can set the maximum number of times that an operation is called from an IP address in 60 seconds to 2 to 3 times the number of times that the operation is usually called when the domain name is not attacked.
You need to view real-time logs, locate the attacked resources, and then compare the access frequency between the attacked period and the period in which the domain name is not attacked. If there is a difference, you can configure a protection policy.
In most cases, the server calls operations to request resources over the Internet. If internal IP addresses are frequently accessed, you need to add a match condition that ignores the IP addresses.
You need to specify custom URIs to protect and the thresholds for triggering protection based on your workloads and the access frequency of attackers in the real-time logs. The following example describes how to configure a rule.
Parameter | Example | Description |
Rule Name | The name of the custom rule. The name must meet the following requirements:
| If the requested URI contains |
Match Condition |
| |
Rate Limiting | Turn on Rate Limiting. | If a client IP address matches the match condition more than 300 times in 60 seconds, the client IP address is added to the blacklist. |
Statistical Object | Select IP. | |
Statistical Interval (s) | Enter | |
Threshold | Enter | |
Status Code | Disabled. | All requests that meet the rate limiting condition in 3,600 seconds are blocked. |
Apply To | Select Current Domain Name. | |
Blacklist Timeout Period (s) | Enter | |
Action | Select Block. |
Block requests that contain abnormal User-Agent headers
For more information, see Configure custom protection policies.
In most cases, the User-Agent header is empty for applications. You do not need to use this policy.
If the value of a User-Agent header is an application name, you need to add the name of the application that is used in your business to the match content.
Parameter | Example | Description |
Rule Name | The name of the custom rule. The name must meet the following requirements:
| If the User-Agent header in a request does not contain |
Match Condition |
| |
Rate Limiting | Disabled. | |
Action | Select Block. |
Enable bandwidth throttling for requests that contain abnormal User-Agent headers
For more information, see Configure custom protection policies.
Frequent access to a domain name or an API operation by attackers result in a sudden increase in traffic fees. In this case, you check real-time logs and find that these requests come from scattered IP addresses but have similar User-Agent headers. When a domain name is not attacked, the number of requests that contain the same User-Agent header is much less than that when the domain name is attacked.
You need to specify custom protected URIs and the thresholds for triggering protection based on your workloads and the characteristics and access frequency of attackers in the real-time logs. The following example describes how to configure a rule.
Parameter | Example | Description |
Rule Name | The name of the custom rule. The name must meet the following requirements:
| If the requested URI contains |
Match Condition |
| |
Rate Limiting | Turn on Rate Limiting. | If a request contains a |
Statistical Object | Select Custom Header and enter | |
Statistical Interval (s) | Enter | |
Threshold | Enter | |
Status Code | Disabled. | All requests that meet the rate limiting condition in 1,800 seconds are blocked. |
Apply To | Select Current Domain Name. | |
Blacklist Timeout Period (s) | Enter | |
Action | Select Block. |
Block requests from abnormal IP addresses
For more information, see Configure an IP address blacklist.
Block web crawlers
Enable protection items based on your business requirements. For more information, see Configure the bot management module.
What to do next
Configure real-time monitoring
You can monitor the bandwidth of Alibaba Cloud CDN-accelerated domain names. After the bandwidth of a domain name reaches the specified threshold, you are notified of the potential risks by text message, email, or DingTalk message. For more information, see Configure alert rules.
Configure bill alerts
You can use the following features to monitor and limit the expenses. To configure the features, move your pointer over Expenses in the top navigation bar of the console and select Expenses and Costs.
High bill alerts: If you enable this feature, the system sends an alert by text message when a daily bill exceeds the alert threshold that you specified.
Service suspension protection: If you disable this feature, the service immediately stops running after a payment becomes overdue to prevent high overdue payments.
High bill alert: After this feature is enabled, notifications are sent to you by text message if a daily bill reaches a specified amount.
To ensure the integrity of the statistics and the accuracy of bills, Alibaba Cloud CDN issues the bill approximately 3 hours after a billing cycle ends. The point in time at which the relevant fees are deducted from your account balance may be later than the point in time at which the resources are consumed within the billing cycle. Alibaba Cloud CDN is a distributed service. Therefore, Alibaba Cloud does not provide the consumption details of resources in bills. Other CDN providers use a similar approach.