How does CDN defend against DDoS attacks? What are the security protection mechanisms?

Importance of CDN Security Protection

With the increasing frequency and complexity of cyber attacks, CDN is not only a content delivery tool but also an important security protection layer. CDN security protection can effectively defend against various network attacks, protecting origin servers and user data security.

Major Security Threats

1. DDoS Attacks

Distributed Denial of Service attacks are the biggest threat facing CDN:

Attack types:

• Volumetric attacks: Exhaust bandwidth through massive traffic
• Protocol attacks: Exhaust connection resources using protocol vulnerabilities
• Application layer attacks: Attacks targeting the application layer (like HTTP Flood)

Attack scale:

• Small attacks: <1 Gbps
• Medium attacks: 1-10 Gbps
• Large attacks: 10-100 Gbps
• Mega attacks: >100 Gbps

2. Web Application Attacks

Various attacks targeting web applications:

Common attacks:

• SQL Injection: Obtain data by injecting malicious SQL statements
• XSS (Cross-Site Scripting): Inject malicious scripts to steal user information
• CSRF (Cross-Site Request Forgery): Forge user requests to perform unauthorized operations
• File Inclusion Attacks: Include malicious files to execute code

3. Malicious Crawlers and Scraping

Automated programs massively scraping website content:

Harm:

• Consume large amounts of bandwidth and server resources
• Steal website content and data
• Affect normal user experience

4. Data Leakage

Sensitive data illegally obtained:

Leakage paths:

• Unencrypted transmitted data
• Misconfigured access control
• Vulnerability exploitation

CDN Security Protection Mechanisms

1. DDoS Protection

Traffic Scrubbing

CDN scrubs malicious traffic through distributed network:

How it works:

1. Detect abnormal traffic patterns
2. Identify attack characteristics
3. Filter malicious traffic
4. Forward normal traffic

Scrubbing capability:

• Edge scrubbing: Filter directly at edge nodes
• Central scrubbing: Aggregate to scrubbing center for processing
• Hybrid scrubbing: Combine edge and center

Rate Limiting

Limit request frequency for single IP or user:

Rate limiting strategies:

nginx
# Limit single IP to maximum 10 requests per second
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

location / {
    limit_req zone=one burst=20 nodelay;
}

Rate limiting levels:

• IP-level limiting: Based on source IP
• User-level limiting: Based on user identifier
• URL-level limiting: Based on specific URL

Intelligent Identification

Use AI/ML technology to identify attacks:

Identification methods:

• Behavior analysis: Analyze access patterns
• Signature matching: Match known attack signatures
• Machine learning: Train models to identify new attacks

2. WAF (Web Application Firewall)

Web Application Firewall protects application layer security:

WAF Functions

Core functions:

• Input validation: Validate and filter user input
• Output encoding: Encode output to prevent XSS
• Access control: Control access permissions
• Attack detection: Detect and block attacks

Rule examples:

nginx
# Prevent SQL injection
if ($args ~* "union.*select.*from") {
    return 403;
}

# Prevent XSS
if ($args ~* "<script|javascript:") {
    return 403;
}

WAF Deployment Modes

Deployment methods:

• Reverse proxy mode: CDN acts as reverse proxy
• Transparent proxy mode: Transparently intercept traffic
• DNS mode: Redirect traffic through DNS

3. Access Control

IP Whitelist/Blacklist

Control IPs allowed or denied access:

nginx
# Whitelist
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;

# Blacklist
deny 1.2.3.4;
deny 5.6.7.0/24;
allow all;

Geographic Restrictions

Restrict access based on geographic location:

Use cases:

• Only allow access from specific countries/regions
• Block access from high-risk regions
• Comply with regional regulations

Configuration example:

nginx
# Only allow China access
geo $allowed_country {
    default no;
    CN yes;
}

if ($allowed_country = no) {
    return 403;
}

Referer Check

Prevent hotlinking and unauthorized references:

nginx
# Check Referer
valid_referers none blocked example.com *.example.com;

if ($invalid_referer) {
    return 403;
}

4. Encrypted Transmission

HTTPS/TLS Encryption

Protect data transmission security:

Configuration points:

• Use strong cipher suites
• Enable HSTS
• Regularly update certificates

nginx
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;

Token Authentication

Use Token to verify request legitimacy:

Token generation:

python
import hashlib
import time

def generate_token(secret_key, path, timestamp):
    data = f"{secret_key}{path}{timestamp}"
    return hashlib.sha256(data.encode()).hexdigest()

Token verification:

nginx
# Verify Token
if ($arg_token != $expected_token) {
    return 403;
}

5. Crawler Protection

Identify Crawlers

Identify legitimate and malicious crawlers:

Identification methods:

• User-Agent analysis
• Behavior pattern recognition
• Access frequency analysis

Crawler Management

Management strategies:

• Whitelist: Allow legitimate crawlers (like Googlebot)
• Blacklist: Block malicious crawlers
• Rate limiting: Limit crawler access frequency

nginx
# Limit crawler access frequency
if ($http_user_agent ~* "bot|spider|crawler") {
    limit_req zone=crawler_zone rate=5r/s;
}

Security Monitoring and Alerting

1. Real-time Monitoring

Monitoring metrics:

• Traffic anomalies: Sudden increase or decrease in traffic
• Request anomalies: Abnormal request patterns
• Error rate: Sudden increase in error rate
• Response time: Abnormal response time

2. Alert Mechanism

Alert levels:

• P1 (Critical): Currently under attack
• P2 (Important): Suspicious activity detected
• P3 (General): Security configuration issues

Alert methods:

• Email
• SMS
• Instant messaging tools
• Monitoring dashboard

3. Log Analysis

Log content:

• Access logs: Record all requests
• Security logs: Record security events
• Error logs: Record error information

Analysis tools:

• ELK Stack (Elasticsearch, Logstash, Kibana)
• Splunk
• Graylog

Security Best Practices

1. Layered Protection

Implement multi-layer security protection:

shell
User → CDN Edge Node → WAF → Origin Server

Responsibilities of each layer:

• Edge node: Basic protection, traffic scrubbing
• WAF: Application layer protection
• Origin server: Deep protection

2. Principle of Least Privilege

Grant only necessary permissions:

• Minimize exposed ports and services
• Restrict access permissions
• Regularly review permissions

3. Regular Security Audits

Audit content:

• Security configuration checks
• Vulnerability scanning
• Penetration testing
• Security policy review

4. Incident Response Plan

Response process:

1. Detect attack
2. Isolate affected systems
3. Analyze attack source
4. Fix vulnerabilities
5. Restore services
6. Summarize experience

Common Security Issues and Solutions

Issue 1: CC Attacks

Problem: Large number of HTTP requests exhaust server resources

Solutions:

• Enable WAF
• Implement rate limiting strategies
• Use CAPTCHA
• IP blacklist

Issue 2: Hotlinking

Problem: Other websites reference your resources

Solutions:

• Configure Referer check
• Use Token authentication
• Enable anti-hotlinking feature

Issue 3: Data Leakage

Problem: Sensitive data illegally obtained

Solutions:

• Enable HTTPS
• Encrypt sensitive data
• Implement access control
• Regular security audits

Interview Points

When answering this question, emphasize:

1. Understanding of major security threats facing CDN
2. Mastery of various CDN security protection mechanisms
3. Understanding of layered security protection strategies
4. Practical security configuration and protection experience
5. Ability to analyze and respond to security incidents