All Products
Search
Document Center

Edge Security Acceleration:Enable edge security

Last Updated:May 23, 2023

Conventional CDN services are not well-equipped to deal with large-scale cyber attacks. This poses a problem for industry verticals that require reliable and secure content acceleration services, such as gaming, finance, government and enterprise security, e-commerce, and healthcare. Alibaba Cloud Dynamic Content Delivery Network (DCDN) is a content delivery solution with built-in security features. Integrated with features such as DDoS mitigation, Web Application Firewall (WAF), blacklist, whitelist, and hotlink protection, DCDN is a great choice to protect your data from origin to edge.

Security features

Category

Description

References

Network attack protection

DDoS mitigation: helps improve application resiliency by protecting them from DDoS attacks. DDoS attacks affect the availability of your applications and may cause losses as a result of application downtime.

When a potential attack is detected, DDoS mitigation routes inbound traffic to Alibaba Cloud's traffic scrubbing centers. After the attack ends, the traffic is automatically routed back through DCDN.

DDoS mitigation

WAF: protects your applications from external attacks at the edge. DCDN is integrated with WAF to provide security services on DCDN points of presence (POPs). WAF identifies and filters out malicious requests, and forwards only legitimate requests to origin servers. WAF protects web servers against intrusions, ensures the security of business-critical data, and prevents performance degradation caused by attacks.

Overview of WAF (new edition)

Bot management: protects your applications against web scraping, while allowing trusted web crawlers to access your applications. Bot traffic management provides a variety of useful features, including crawler whitelists, threat intelligence, and AI protection. This feature detects advanced crawlers, and minimizes the negative impacts of crawlers and automation tools.

Configure the bot management module

Sandbox: If an accelerated domain name is under attack, such as DDoS attacks or HTTP flood attacks, or faces significant increases in bandwidth or QPS due to traffic spikes that have not been reported to Alibaba Cloud, DCDN has the right to determine whether to add the attacked domain name to a sandbox based on factors such as the service status of the domain name and the impact of the attack. This ensures that the acceleration services of other users can work as expected.

Introduction to sandboxes

Access control

Referer-based hotlink protection: an access control mechanism based on the referer header. This feature lets you configure a referer whitelist or blacklist to allow or deny requests that have specific referers. Referer-based hotlink protection identifies and filters users to protect your resources from unauthorized and unwanted access.

Configure a referer whitelist or blacklist to enable hotlink protection

User-Agent whitelist and blacklist: an access control mechanism based on the User-Agent header. The User-Agent header contains information about the client that sends the request, including the operating system (OS), OS version, browser, and browser version. DCDN allows you to configure a User-Agent whitelist or blacklist to identify and filter requests. This can restrict access to DCDN resources and improve service security.

Configure a User-Agent blacklist or whitelist

IP whitelist and blacklist: an IP-based access control mechanism. An IP whitelist or blacklist serves to manage access from specific IP addresses. IP lists can protect origin servers from IP theft and attacks.

Configure an IP address blacklist or whitelist

URL signing: verifies encrypted strings and timestamps in signed URLs. This feature protects resources on origin servers in a more secure and efficient manner.

Configure URL authentication

End-to-end encryption

End-to-end security: provides an end-to-end HTTPS secure acceleration solution and allows you to upload and manage SSL certificates.

Configure an SSL certificate

HTTP/2: Clients can access POPs over HTTP/2.

Enable HTTP/2

HTTP/3: also known as Quick UDP Internet Connections (QUIC). This protocol provides enhanced security for data transmission between clients and DCDN POPs and accelerates content delivery.

What is the QUIC protocol?