How Can You Tackle Network Attacks on CDN Edge Nodes?

By CDN Team

Five Network Attacks Commonly Seen in Today’s Grim Network Security Environment

DDoS Attacks

HTTP Flood Attack

Web Attacks

Malicious Crawlers

Hijacking Attacks

Enterprises Need Multi-layer In-depth Protection for Online Services

  1. DDoS attack traffic is scrubbed and processed at the network layer. If the adverse impact is aggravated, IP addresses can be changed and the black hole routing mechanism must be activated to mitigate the situation.
  2. In contrast to traditional plain text traffic, Hypertext Transfer Protocol Secure (HTTPS) is used to implement encryption at the transport layer, preventing certificate forgery.
  3. The application layer must be capable of HTTP flooding protection, anti-crawling, and anti-brushing, so as to prevent malicious consumption of bandwidth to avoid economic and business losses. Web Application Firewall (WAF) and anti-tampering mechanisms must be deployed to protect origin sites and their content.

Protections must be put in place at the network layer, transport layer, and application layer. In particular, the application layer needs to have protective measures intended for different scenarios.

CDN-based Edge Node Security + Anti-DDoS Pro Center Security Architecture

As shown in the figure, the first layer of protection in the overall security architecture deployed on the global CDN nodes fortifies the edge nodes with greater security capabilities and relies on its multi-layer multi-dimension traffic data statistics and attack detection capabilities to consolidate the data, such as DDoS and HTTP access traffic, to the Security Brain for comprehensive analysis. Defense policies can be dynamically delivered to edge nodes against different levels of attacks. Meanwhile, edge nodes can also automatically defend and clean themselves. In addition, the overall security architecture deploys WAF and tamper protection on the origin nodes and defends against attacks before they reach the origin site. If the origin site only serves the CDN service without being exposed to the public network, the overall architecture also provides CDN-based advanced protection for the origin site to prevent the origin site from being discovered by malicious scanners.

In financial and government scenarios, to resist high-bandwidth and high-volume DDoS attacks, CDN has a large number of edge nodes to digest most of the attack traffic through its own scheduling and cleaning features. Once DDoS attacks increase in magnitude, the Security Brain invokes intelligent scheduling to route the attack traffic to the advanced protection nodes for scrubbing.

Three Core Features of Alibaba Cloud CDN Security Architecture

1) Anti-DDoS Intelligent Scheduling: Collaborated Mechanism between Multiple Components

The policy of Anti-DDoS Intelligent Scheduling is to distribute business traffic through CDN by default for maximized acceleration and optimal user experience. When high-bandwidth and high-volume DDoS attacks are detected, the Intelligent Scheduling feature determines the severity level and uses Anti-DDoS Pro to scrub DDoS attacks. It also performs local or global scheduling, depending on the magnitude of attacks. When DDoS attacks stop, Intelligent Scheduling automatically routes the business traffic of the Anti-DDoS Pro service back to the CDN edge nodes to resume the usual acceleration as much as possible.

The centerpiece of Anti-DDoS Intelligent Scheduling consists of three components, including edge acceleration, intelligent scheduling, and Tbps-level protection. Adequate DDoS attack detection and intelligent scheduling deployed on the basis of edge acceleration determine whether to clean the attack traffic through Anti-DDoS Pro or Tbps-level protection center. At present, the solution has been adopted by customers that represent the financial industry and the media industry.

2) Web Protection: Eight Layers of Security Features to Filter out Malicious Requests

According to Zhao Wei, CDN edge nodes are closest to Internet users. Among all access requests, some are normal user requests, and others may be crawlers, injections, malicious and cross-site requests. The various layers of protection filter out malicious requests and return the normal requests to the original sites.

3) Machine Traffic Management: Identify Internet Bot traffic and Block Malicious Bot Traffic

The following figure shows a use case. First, the traffic to a domain name is analyzed when the Machine Traffic Management policy is implemented. The pie chart on the left shows a scenario where machine traffic analysis is enabled for a domain name, and more than 82% of the requests are identified to be from malicious crawlers. The line chart on the right shows, after the malicious crawler traffic interception feature is activated for the machine traffic, the peak bandwidth of the domain name decreases by more than 80%.

Content Delivery Network CDN is already the primary entrance of Internet traffic. It is the industry trend to deploy security capabilities on CDN edge nodes and provide customers with one-stop security acceleration solutions. At the end of the press conference, Zhao Wei shared that Alibaba Cloud will deepen the scenario-based, convenient, and intelligent solutions for future government-enterprise security acceleration, so as to provide security policies that faster, more intelligent, more effective and closer to customer needs. The solutions will make CDN the first line of defense for online services and guarantee the secure and stable operation of applications.

Learn more about Alibaba Cloud’s CDN product at

Original Source:

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.