Conventional CDN services are not well-equipped to deal with large-scale cyber attacks. This poses a problem for industry verticals that require reliable and secure content acceleration services, such as gaming, finance, government and enterprise security, e-commerce, and healthcare. Alibaba Cloud Dynamic Content Delivery Network (DCDN) is a content delivery solution with built-in security features. Integrated with features such as DDoS mitigation, Web Application Firewall (WAF), blacklist, whitelist, and hotlink protection, DCDN is a great choice to protect your data from origin to edge.
Security features
Category | Description | References |
Network attack protection | DDoS mitigation: helps improve application resiliency by protecting them from DDoS attacks. DDoS attacks affect the availability of your applications and may cause losses as a result of application downtime. When a potential attack is detected, DDoS mitigation routes inbound traffic to Alibaba Cloud's traffic scrubbing centers. After the attack ends, the traffic is automatically routed back through DCDN. | |
WAF: protects your applications from external attacks at the edge. DCDN is integrated with WAF to provide security services on DCDN points of presence (POPs). WAF identifies and filters out malicious requests, and forwards only legitimate requests to origin servers. WAF protects web servers against intrusions, ensures the security of business-critical data, and prevents performance degradation caused by attacks. | ||
Bot management: protects your applications against web scraping, while allowing trusted web crawlers to access your applications. Bot traffic management provides a variety of useful features, including crawler whitelists, threat intelligence, and AI protection. This feature detects advanced crawlers, and minimizes the negative impacts of crawlers and automation tools. | ||
Sandbox: If an accelerated domain name is under attack, such as DDoS attacks or HTTP flood attacks, or faces significant increases in bandwidth or QPS due to traffic spikes that have not been reported to Alibaba Cloud, DCDN has the right to determine whether to add the attacked domain name to a sandbox based on factors such as the service status of the domain name and the impact of the attack. This ensures that the acceleration services of other users can work as expected. | ||
Access control | Referer-based hotlink protection: an access control mechanism based on the referer header. This feature lets you configure a referer whitelist or blacklist to allow or deny requests that have specific referers. Referer-based hotlink protection identifies and filters users to protect your resources from unauthorized and unwanted access. | Configure a referer whitelist or blacklist to enable hotlink protection |
User-Agent whitelist and blacklist: an access control mechanism based on the User-Agent header. The User-Agent header contains information about the client that sends the request, including the operating system (OS), OS version, browser, and browser version. DCDN allows you to configure a User-Agent whitelist or blacklist to identify and filter requests. This can restrict access to DCDN resources and improve service security. | ||
IP whitelist and blacklist: an IP-based access control mechanism. An IP whitelist or blacklist serves to manage access from specific IP addresses. IP lists can protect origin servers from IP theft and attacks. | ||
URL signing: verifies encrypted strings and timestamps in signed URLs. This feature protects resources on origin servers in a more secure and efficient manner. | ||
End-to-end encryption | End-to-end security: provides an end-to-end HTTPS secure acceleration solution and allows you to upload and manage SSL certificates. | |
HTTP/2: Clients can access POPs over HTTP/2. | ||
HTTP/3: also known as Quick UDP Internet Connections (QUIC). This protocol provides enhanced security for data transmission between clients and DCDN POPs and accelerates content delivery. |