High -defense CDN node safety protection plan (hereinafter referred to as high -defense CDN nodes) uses enough CDN node connection points and single CDN node connection points to have certain DDOS security protection capabilities to achieve security protection when server DDOS attacks. Generally speaking, the number of CDN nodes of high-defense CDN manufacturers is greater than 50, and the DDOS protection capacity of single CDN nodes is between 20-100Gbps.
CDN high defense has the following five characteristics:
Website acceleration capabilities are better: CDN nodes are generally distributed according to the province according to the line. Business traffic is generally scheduled through DNS intelligent analysis. Users can access business websites through the best CDN nodes. CDN nodes can be on business websites. Static resources are accelerated, so the delay of user access will be greatly reduced, and the experience will be better.
The seven -layer protection ability is better: because the main function of the CDN node is to accelerate and forward the seven layers, so single CDN nodes have a certain processing ability, plus many distributed nodes, so when the DDOS attack against URL It will be scattered by DNS to scattered to each CDN node, and make full use of the width of the entire network to achieve effective protection.
DDOS attacks that cannot be defensive: Because the protection capacity of high-defense CDN nodes is generally between 20-100Gbps. If the attacker is bound to the host to specify the node to attack, or launch an attack on each node IP The protection capacity of the CDN node will cause all business services to be interrupted by all business services of a single CDN node. If the attacker launch a large traffic attack in order for the CDN node, it will cause the user's business to switch between the nodes (a single switching time is about about about about 2-5 minutes), it may even cause the entire service to interrupt.
Sharing IP cannot distinguish between specific attacks: CDN nodes generally allocate the business by sharing IP segments. One IP may load multiple domain name services. Therefore, if an IP suffers from DDOS attacks, it is not possible to distinguish which domain name business comes from. The general approach of high -defense CDN manufacturers is to return all the business domain names related to IP. This method will cause the attack traffic directly to the source station, or expose the source station to the attacker, causing the source station's security risk to increase sharply.
Support the hidden source station: The high -defense CDN exposes the shared IP address segment of each node. The business of the source station is realized through the CDN node IP. Safety.
Analysis of high -defense IP protection solutions
High -defense IP Protection Scheme (hereinafter referred to as high -defense IP) is a DDOS protection node that uses the large bandwidth and protection capabilities of construction in various regions to achieve DDOS protection. Generally speaking, the number of high -defense IP manufacturers in the country's protection nodes is 2 is 2 -10, a single-node DDOS protection capacity is generally between 300-1000Gbps.
High -defense IP protection has the following three characteristics:
DDOS protection effect: For the needs of different customers, high -defense IP manufacturers generally provide one or more high -defense nodes to protect the customer's business. All the traffic of customers will converge to high defense nodes, and high defense nodes generally have 300 300 -1000Gbps's protection capacity, as long as the attack traffic is smaller than the maximum protection capacity of the node, the node can be easily cope.
Website acceleration ability is slightly weaker: High -defense IP nodes are generally less than 10, and they cannot be accelerated by the website through the CDN nodes provided by the provinces, but high -defense IP can also provide multiple regional nodes. Static resources have accelerated caching and DNS scheduling according to the region or lines, which can effectively reduce the use of bandwidth resources of the source station and realize the ability to access according to the region or line.
Support hidden source stations: High -defense IP is exposed to the independent high -defense IP of each node. Through the independent IP of each high -defense node, business forwarding is achieved. The attacker cannot obtain the real user source station through business interaction, thereby ensuring the source station. Safety.
According to the above comparison results, CDN's high defense DDOS protection capacity is weaker than high defense IP, but website acceleration capabilities account for excellent requirements. Wait for business. High -defense IP is suitable for users with low requirements for website acceleration. DDOS attack threats are not clear, and users with frequent dynamic interactions with the source station, such as game business, Internet financial business, small promotion websites, external business systems, etc.
At present, there are very few DDOS attacks below 100Gbps, and the attack traffic is still expanding. If it is necessary to effectively protect the DDOS attack, the maximum protection capacity of a single node is the most important. Only the single -point protection capacity is sufficient can the DDOS suffer from the large traffic DDOS can be ensured The business is not affected by any time when attacking.