After more than 10 years of technical precipitation and practice, Alibaba Cloud CDN has gradually accelerated from the traditional, and gradually built an edge + cloud security network three-dimensional protection system, from full link security transmission, edge defense of common attack types, and enterprise-level exclusive Several dimensions of resource deployment, operation and maintenance, and content security guarantee mechanisms provide a safe and reliable bridge for enterprises to the network.
Basic security capabilities guarantee secure transmission of the entire link
1. Source station protection
Due to the distributed architecture of the CDN, users obtain content by accessing nearby edge nodes. Through such a springboard, the IP of the source station is effectively hidden, thereby decomposing the access pressure of the source station. When a large-scale malicious attack strikes, the edge node can be used as the first line of defense to protect, greatly dispersing the strength of the attack. Even for malicious requests for dynamic content, the intelligent scheduling system of Alibaba Cloud CDN can also unload the source station pressure , The maintenance system is stable.
2. Anti-tampering capability
Alibaba Cloud CDN provides enterprise-level full-link HTTPS + node content anti-tampering capability to ensure the transmission security of the client's full link from the source station to the client. At the link transmission level, the HTTPS protocol is used to ensure that the link cannot be hijacked by an intermediate source. The consistency of the source file can be verified on the node. If the content is found to be inconsistent, the content will be deleted and returned to the source for pull. To distribute. The complete solution can ensure the security of content at the source station, link end, CDN node, and client's full link, and provide higher security transmission guarantee.
3. Access and authentication security
Alibaba Cloud CDN can identify and filter the identity of the visitor by configuring the referer, User-Agent, and IP black-and-white list to restrict access to resources; and set the authentication key to encrypt the URL to achieve Advanced anti-theft chain to protect source station resources. At the same time, by building an IP reputation database, access restrictions on blacklisted IP are strengthened.
Enterprise-level edge security capabilities comprehensively resist common attack types. In
2019, Alibaba Cloud Cloud Security detected that nearly one million DDoS attacks occurred on the cloud. Application layer DDoS (CC attacks) became a common type of attack, and the attack methods were more complicated. At the same time, Web application security-related issues still account for a very large proportion. From the leakage of user information to the party of the Wool Party, we are testing the security level of every industry and every Web application all the time. In order to make the network platform that carries data transmission more secure and reliable, Alibaba Cloud CDN has been continuously strengthening its security capabilities.
1. DDoS cleaning
CDN provides enterprises with a marginal application layer DDoS, that is, CC protection capabilities, which can be monitored through IP, Header parameters, URL parameters and other dimensions, and can be counted by number of times, status code, and request method. And finally carry out the safe interception of malicious access, effectively guarantee the access of normal business volume. In the face of network layer DDoS attacks, CDN products and DDoS products can be linked, and can be distributed through CDN in distribution scenarios. When DDoS attacks occur, they can detect the attack area and effectively dispatch the attacks to DDoS for protection and cleaning. Effectively protect the source station.
Through the linkage scheme, you can effectively use the massive DDoS cleaning, perfect defense against SYN, ACK, ICMP, UDP, NTP, SSDP, DNS, HTTP and other Flood. At the same time, based on the computing power and deep learning algorithms of the Alibaba Cloud Flying Platform, it intelligently predicts DDoS attacks and smoothly switches high-defense IP, without affecting business operations. 
Second, WAF
CDN combines WAF capabilities to form edge application layer protection capabilities, identify and protect malicious characteristics of business traffic, and return normal and safe traffic to the server. Avoid malicious intrusion of website servers, ensure the core data security of enterprise services, and solve the problem of abnormal server performance caused by malicious attacks. CDN WAF provides virtual patches for the latest vulnerabilities exposed on the website, and provides quick repair rules to the greatest extent possible. And rely on cloud security, fast vulnerability response speed, and timely vulnerability repair capabilities.
3. Anti-brush and anti-climbing In the
face of malicious crawling by web crawlers, the CDN platform is based on the malicious IP library and malicious fingerprint library precipitated by Alibaba Group ’s business, and conducts precise confrontation through machine learning capabilities that are close to business risks and customized crawler models. Reduce the impact of crawlers and automation tools on the website business, protect the data security of the enterprise, and maintain the core business value of the enterprise.
CDN resource exclusiveness enhances enterprise security factor
Alibaba Cloud CDN also provides exclusive resource solutions for business scenarios with strong security requirements such as digital government affairs and large enterprises. First of all, CDN supports customers to achieve physical isolation through security acceleration nodes, which are completely built separately, deeply integrated with security functions, and provide single-node advanced defense capabilities. Secondly, CDN provides exclusive IP resources to ensure business security risk isolation and will not be affected when others are attacked. Third, the CDN supports single-user independent scheduling domains, DNS attacks between users do not affect each other, and DNS flood protection for millions of QPS.
Adhere to the "production" safety bottom line of content and platform
1. Platform content health compliance
Alibaba Cloud is based on artificial intelligence and massive sample sets, deep learning training recognition models, accurately identifying yellow-related scenes in pictures accelerated by CDN, and can provide multi-level recognition according to the actual control needs of users. And flexible control schemes. The overall accuracy rate of yellow identification exceeds 99%, which can replace more than 90% of manual audits, greatly reducing the risk of violations.
2. Convenient operation and maintenance and safety
By simplifying the security acceleration architecture, operation and maintenance personnel can more easily perform one-stop self-service configuration and API management and control, and realize daily attack monitoring alarm, full link investigation, automatic protection and real-time panoramic data log viewing. At the same time, the escort and reinsurance response system during large-scale activities can assist enterprise applications to resist security risks and protect the system stability.
In addition to the above technologies, the Alibaba Cloud CDN platform has also passed the National Information Security Level Protection 2.0 Level 3, ISO9001, PCI-DSS and other compliance certifications, and has received world authoritative recognition in network security, data security, and service security.
Industry Application Case
E-commerce-Double 11 Global Carnival
On the 11th of November 2019, Alibaba Cloud CDN intercepted 51 million malicious crawling products for Taobao and 850 million malicious requests, saving more than 65% of peak bandwidth.
Corporate website-AirAsia Promotion
AirAsia is Asia's largest low-cost carrier, and has been awarded the title of "World's Best Low-Cost Airline" for 11 consecutive years. AirAsia will hold a large-scale ticket promotion every quarter. With the help of Alibaba Cloud CDN + WAF (Anti-Bot) architecture, it can achieve a fast ban on ticket-swapping requests. Through long-term continuous analysis of the occupancy during the big promotion period, The occupancy rate was reduced to a relatively low level to ensure the stability of AirAsia's business revenue.
In order to meet the security and business stability needs of more enterprises, Alibaba Cloud launches government and enterprise security acceleration solutions for government, finance, media and traditional enterprise customers, based on the globally distributed 2800 + CDN edge acceleration nodes and the world's leading cloud security technology , To achieve both acceleration and security, to help them use the Internet more conveniently, steadily, and safely for user interaction, and embrace digital and online dividends.
