Link to Alibaba Cloud Security Month Special Page: https://developer.aliyun.com/topic/securityapril
After more than 10 years of technological precipitation and practice, Alibaba Cloud CDN has gradually accelerated from the traditional, and gradually built an edge + cloud security network three-dimensional protection system, from full link security transmission, common types of edge defense, and enterprise-level exclusive resources Several dimensions of deployment, operation and maintenance, and content security guarantee mechanisms provide a safe and reliable bridge for enterprises to the network.
Basic security capabilities guarantee secure transmission of the entire link
1. Source station protection
Due to the distributed architecture of the CDN, users obtain content by accessing nearby edge nodes. Through such a springboard, the IP of the source station is effectively hidden, thereby decomposing the access pressure of the source station. When a large-scale malicious attack occurs, the edge nodes can be used as the first line of defense to protect, greatly dispersing the intensity. Even for malicious requests for dynamic content, the intelligent scheduling system of Alibaba Cloud CDN can also unload the source station pressure and maintain The system is stable.
2. Anti-tampering capability
Alibaba Cloud CDN provides enterprise-level full-link HTTPS + node content anti-tampering capability to ensure the transmission security of the client's full link from the source station to the client. At the link transmission level, the HTTPS protocol is used to ensure that the link cannot be hijacked by an intermediate source. The consistency of the source file can be verified on the node. If the content is found to be inconsistent, the content will be deleted and returned to the source for pull. To distribute. The complete solution can ensure the security of content at the source station, link end, CDN node, and client's full link, and provide higher security transmission guarantee.
3. Access and authentication security
Alibaba Cloud CDN can identify and filter the identity of the visitor by configuring the referer, User-Agent, and IP black-and-white list to restrict access to resources; and set the authentication key to encrypt the URL to achieve Advanced anti-theft chain to protect source station resources. At the same time, by building an IP reputation database, access restrictions on blacklisted IP are strengthened.
Enterprise-grade edge security capabilities fully resist common types
In 2019, Alibaba Cloud Cloud Security detected that nearly one million DDoS occurred on the cloud, application layer DDoS (CC) became a common type, and the method was more complicated. At the same time, Web application security related issues still accounted for a very large proportion From the leakage of user information to the spree of the Wool Party, the safety level of every industry and every Web application is being tested all the time. In order to make the network platform that carries data transmission more secure and reliable, Alibaba Cloud CDN has been continuously strengthening its security capabilities.
1. DDoS cleaning
CDN provides enterprises with a marginal application layer DDoS, that is, CC protection capabilities. It can be monitored through IP, Header parameters, URL parameters and other dimensions, and can be counted by number of times, status code, request method, and finally malicious. The secure interception of access effectively guarantees the access of normal business volume. In the face of network layer DDoS, CDN products and DDoS products can be linked, and can be distributed through CDN in the distribution scenario. When DDoS occurs, the area can be detected and effectively dispatched to DDoS for protective cleaning and effective protection of the source site. .
Through the linkage scheme, you can effectively use the massive DDoS cleaning, perfect defense against SYN, ACK, ICMP, UDP, NTP, SSDP, DNS, HTTP and other Flood. At the same time, based on the computing power and deep learning algorithms of the Alibaba Cloud Feitian platform, it intelligently predicts DDoS and smoothly switches high-defense IP without affecting business operations.
Second, WAF
The CDN combines WAF capabilities to form an edge application layer protection capability, performs malicious feature identification and protection of business traffic, and returns normal and safe traffic to the server. To prevent the web server from being malicious, to ensure the core data security of enterprise business, and to solve the problem of abnormal server performance caused by maliciousness. CDN WAF provides virtual patches for the latest vulnerabilities exposed on the website, and provides quick repair rules to the greatest extent possible. And rely on cloud security, fast vulnerability response speed, and timely vulnerability repair capabilities.
3. Anti-brush and anti-climb
Faced with the malicious crawling of web crawlers, the CDN platform is based on the malicious IP library and malicious fingerprint library precipitated by Alibaba Group's business, and conducts precise confrontation through machine learning capabilities close to business risks and customized crawler models to reduce crawlers and automated tools. The influence of the website business guarantees the data security of the enterprise and maintains the core business value of the enterprise.
CDN resources exclusive to enhance corporate safety factor
Alibaba Cloud CDN also provides exclusive resource solutions for business scenarios with strong security requirements such as digital government affairs and large enterprises. First of all, CDN supports customers to achieve physical isolation through security acceleration nodes, which are completely built separately, deeply integrated with security functions, and provide single-node advanced defense capabilities. Secondly, CDN provides exclusive IP resources to ensure business security risk isolation and will not be affected when others are affected. Third, the CDN supports single user independent scheduling domains, DNS between users does not affect each other, and DNS flood protection for millions of QPS.
Adhere to the "production" safety bottom line of content and platform
1. Platform content health compliance
Alibaba Cloud is based on artificial intelligence and massive sample sets, deep learning training recognition models, accurately identifying yellow-related scenes in pictures accelerated by CDN, and can provide multi-level recognition and flexible management and control solutions according to the actual control needs of users. The overall accuracy rate of yellow identification exceeds 99%, which can replace more than 90% of manual audits, greatly reducing the risk of violations.
2. Convenient operation and maintenance and safety
By simplifying the security acceleration architecture, O & M personnel can more easily perform one-stop self-service configuration and API management and control to realize daily monitoring and alarming, full link investigation, automatic protection and real-time panoramic data log viewing. At the same time, the escort and reinsurance response system during large-scale activities can assist enterprise applications to resist security risks and protect the system stability.
In addition to the above technologies, the Alibaba Cloud CDN platform has also passed the National Information Security Level Protection 2.0 Level 3, ISO9001, PCI-DSS and other compliance certifications, and has received world authoritative recognition in network security, data security, and service security.
Industry Application Case
E-commerce-Double 11 Global Carnival
On the Double 11th day of 2019, Alibaba Cloud CDN intercepted 51 million malicious crawling products for Taobao, intercepted 850 million malicious requests, and saved peak bandwidth by more than 65%.
Corporate Website-AirAsia Promotion
AirAsia is the largest low-cost airline in Asia and has been awarded the title of "World's Best Low-Cost Airline" for 11 consecutive years. AirAsia will hold a large-scale ticket promotion every quarter. With the help of Alibaba Cloud CDN + WAF (Anti-Bot) architecture, it can achieve a fast ban on ticket-swapping requests. Through long-term continuous analysis of the seats during the big promotion period The occupancy rate was reduced to a relatively low level to ensure the stability of AirAsia's business revenue.
In order to meet the security and business stability needs of more enterprises, Alibaba Cloud launches government and enterprise security acceleration solutions for government, finance, media and traditional enterprise customers, based on the globally distributed 2800 + CDN edge acceleration nodes and the world's leading cloud security technology , To achieve both acceleration and security, to help them use the Internet more conveniently, steadily, and safely for user interaction, and embrace digital and online dividends.