A Guide to CDN Security Protection: Managing Tampering, Attacks, and Content

Alibaba Cloud
6 min readJul 20, 2020

--

By the CDN team

After more than a decade of technical evolution and practical experience, Alibaba Cloud Content Delivery Network (CDN) moved away from traditional acceleration to gradually build a three-dimensional protection system based on an edge-cloud security network. This system encompasses end-to-end secure transmission, defense against common attacks on edge nodes, enterprise-level exclusive resource deployment, O&M, and content security protection. CDN establishes a secure and reliable channel between enterprises and the Internet.

Basic Security Capabilities Ensure End-to-End Transmission Security

Origin Server Protection

Due to CDN’s distributed architecture, users can obtain content by accessing a nearby edge node, which effectively hides the origin IP address and mitigates the access pressure on the origin server. In the event of a large-scale cyberattack, edge nodes serve as the first line of defense and significantly disperse the attack intensity. Even in the case of malicious requests for dynamic content, CDN’s intelligent scheduling system can offload the pressure on the origin server to ensure the stability of the system.

Tamper-prevention Capabilities

CDN provides enterprise-level end-to-end tamper-prevention capabilities for HTTPS links and node content to ensure transmission security between the origin server and the client. HTTPS is used to protect links from being hijacked by intermediate sources, whereas the nodes verify the consistency of the source file. If the content of the source file is found inconsistent, the file is deleted and its original copy is pulled from the source again before being distributed. This complete solution provides higher transmission security and ensures content security on the origin server, links, CDN nodes, and clients.

Access and Authentication Security

CDN can identify and filter visitors by configuring a referer, User-Agent, and IP address blacklist or whitelist. This helps sanitize access to resources. You can also set a cryptographic key to encrypt the URL to implement advanced hotlinking protection and protect resources on the origin server. At the same time, an IP reputation database is built to strengthen the access restrictions on blacklisted IP addresses.

Enterprise-grade Edge Security Protects Against Common Attacks

In 2019, Alibaba Cloud Security detected nearly a million incidents of off-premises distributed denial of service (DDoS) attacks. Application-layer DDoS attacks, such as HTTP flood attacks, have become a common attack type, and attack methods have grown more varied and complex. Meanwhile, issues related to web application security still account for a large proportion of attacks. Through leaks of user data, benefit hunters, or other attacks, the security of every industry and web application is being tested all the time. To increase the security and reliability of network platforms that host data transmission, CDN constantly works to increase its security capabilities.

DDoS Scrubbing

CDN provides enterprises with the application-layer anti-DDoS protection capability (HTTP flood attack protection capability) on edge nodes. This capability can monitor IP addresses, header and URL parameters, compile statistics on occurrences, status codes, and request methods, and intercept malicious access requests. On this basis, CDN can effectively ensure that normal business traffic is not affected. To defend against network-layer DDoS attacks, CDN can be linked with the anti-DDoS product. In distribution scenarios, CDN can be used for distribution. When a DDoS attack occurs, the targeted areas are detected and attack traffic is scheduled to the Anti-DDoS Scrubbing Center to effectively protect the origin server.

This linkage solution can effectively scrub high-volume DDoS traffic and defend against flood-type attacks such as SYN, ACK, ICMP, UDP, NTP, SSDP, DNS, and HTTP. Based on the computing capabilities and deep learning algorithms of the Alibaba Cloud Apsara platform, intelligent DDoS attack prediction is used to smoothly switch traffic over to anti-DDoS Pro without affecting daily business workflow.

WAF

CDN integrates Web Application Firewall (WAF) capabilities to deploy application-layer protection capabilities on edge nodes. This allows it to filter out malicious requests and reroute secure requests to origin servers. WAF protects web servers against intrusions, safeguards core data, and prevents server performance deterioration caused by attacks. CDN/WAF provides virtual patches to quickly fix newly discovered vulnerabilities. It relies on cloud security to rapidly respond to vulnerabilities by promptly patching them.

Click Farming and Crawling Prevention

To deal with malicious crawling from web crawlers, CDN uses the malicious IP address library and fingerprint database built by the Alibaba Group. It uses machine learning capabilities tailored to business risks and customized crawler models to mitigate the impact of web crawlers and automated tools on website businesses. This ensures data security and protects the core business value of enterprises.

Exclusive Use of CDN Resources Improves Enterprise Security

CDN also provides exclusive resource groups for security-demanding scenarios, such as digital government services and large enterprises. First, CDN allows you to physically isolate secure acceleration nodes and build them independently. It highly integrates security functions and provides single-node, advanced anti-DDoS protection. Second, CDN provides dedicated IP resources to protect your businesses against security risks and prevent attacks on one user from affecting the businesses of other users. Third, CDN supports the independent scheduling of domains by a single user. This means DNS attacks on one user do not affect other users. This allows CDN to defend against DNS flood attacks with millions of QPS.

Production-level Security for Content and Platforms

Compliance of Platform Content

Based on artificial intelligence (AI) and a large number of sample sets, Alibaba Cloud uses deep learning to train a recognition model that can accurately identify pornographic content in images accelerated by CDN. This allows it to provide multi-level identification and flexible management and control solutions based on your needs. CDN’s overall pornography detection accuracy exceeds 99%, which allows it to replace manual reviews that only provide 90% accuracy and greatly reduce the risk of violations.

Convenience and Security

By simplifying the security acceleration architecture, CDN allows O&M personnel to easily perform one-stop, self-service configuration, and API control. This allows them to implement routine attack monitoring and alerting, end-to-end troubleshooting, automatic protection, and real-time display of full data logs. At the same time, the escort and major event response system designed for large-scale promotional activities can help enterprises protect their applications against security risks and ensure system stability.

In addition to the aforementioned technologies, CDN has attained classified protection 2.0 level-3, ISO 9001, PCI-DSS, and other certifications. Leading global authorities have recognized its network security, data security, and service security capabilities.

Industry Application Cases

E-commerce: Double 11 (11/11) Shopping Festival

During the 2019 Double 11 event, Alibaba Cloud CDN intercepted 51 million malicious crawlers targeting Taobao, blocked 850 million malicious requests, and reduced peak bandwidth usage by more than 65%.

Enterprise Websites: Major AirAsia Promotion

AirAsia is the largest low-cost airline in Asia. It has been named the World’s Best Low-cost Airline for 11 years in a row. AirAsia holds large ticket sales promotions each quarter. With the help of the Alibaba Cloud CDN/WAF (Anti-Bot) architecture, it can quickly block malicious ticket requests. Through long-term and continuous analysis of seat occupancy during the promotion period, the pressure of seat occupation rates is reduced to a relatively low level to ensure stable revenue for AirAsia.

To meet the security and business stability needs of more enterprises, Alibaba Cloud has released a security acceleration solution for government and enterprises, which is oriented toward government, finance, media, and traditional enterprise customers. This solution is based on our over 2,800 CDN edge nodes distributed worldwide and world-leading cloud security technology. It can achieve both acceleration and security, allowing enterprises to use the Internet in a more convenient, stable, and secure manner. It can interact better with users and embrace the benefits of digitization and online business models.

Learn more about Alibaba Cloud Content Delivery Network (CDN) by visiting the official product page.

Original Source:

--

--

Alibaba Cloud
Alibaba Cloud

Written by Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Responses (1)