Speed Shield CDN realizes real-time detection and analysis of request packets through threat intelligence database, access control, log self-learning, and human-machine verification. Without affecting normal access, it can efficiently block malicious requests in real time. The single-machine protection performance reaches 10 million QPS, and the overall protection capacity of the platform reaches 1 billion QPS. At present, it can defend against various common application-layer DDoS attacks such as CC, HTTP Flood, slow attack, and POST Flood. The introduction and protection methods of each attack type are as follows:
CC and HTTP Flood Attacks
- Attack Introduction
CC attack refers to an attacker using a proxy server to simulate real users and continuously send a large number of requests to the target website, such as frequent requests for a dynamic URL or a non-existent URL, causing a large number of source stations to return to the source, exhausting the performance of the website server, and then causing the target website to refuse service.
HTTP Flood refers to an attacker who uses a proxy server to simulate real users and continuously sends a large number of requests to the target website, such as frequent requests for a static URL, which depletes the performance of the website server and causes the target website to deny service.
- Protection principle
Threat intelligence database: DMS collects and analyzes the logs of attack events in real time through the big data analytics platform, extracts attack characteristics (such as IP, URL, User-Agent, Refer, etc.), and evaluates the threat level of these characteristics to form a threat intelligence database. For high-risk IP, UA, URL, Refer, etc. will be automatically sent to the whole network protection node. Once subsequent requests hit the high-risk features in the threat intelligence database, they will be directly intercepted to maximize defense efficiency and avoid the impact of CC attacks on websites.
Personalized policy configuration: If the request does not hit the high-risk characteristics in the threat intelligence library, the attack is defended through personalized policy configuration (such as IP blacklist, IP access frequency control).
Log self-learning: DMS dynamically learns the access characteristics of customer websites in real time (such as the number of visits to each resource of customers, behavioral characteristics, etc.), and establishes a normal access baseline of the website.
Human-machine verification: When the request does not match the normal access baseline of the website, the human-machine verification (such as JS verification, META verification, etc.) is initiated for verification to avoid accidental killing of normal access. If the verification passes, the request is released. If it does not pass, the request's attack characteristics are intercepted and synchronized to the threat intelligence database in real time. DMS provides JS verification, META verification, 302 jump, verification code and other human-machine verification methods to effectively intercept attacks while protecting the normal user's access experience.
A. JS Validation
By returning 200 + JS (the content is the original URL + verification key) to verify whether the client side is legitimate, the client side of a normal user can automatically parse the JS code, re-request the URL with the verification key, and continue normal access. And malicious access cannot parse the JS, the DMS intercepts the request.
B. META verification jump
By adding verification parameters to the meta tag to verify whether the client side is legitimate, the client side of a normal user can automatically resolve the meta tag returned by the node, and carry the verification parameters to restart the request and continue normal access. If the malicious access cannot be resolved, the DMS intercepts the request.
slow connection attack
- Attack Introduction
Attackers use the normal interaction mechanism of the HTTP protocol to establish a connection with the target server first, and then keep the connection unreleased for a long time. If the attacker continues to establish a large number of such connections with the target server, the available resources on the target server will be exhausted and normal services cannot be provided. HTTP slow attacks mainly include Slow Headers attacks and Slow POST attacks.
Slow Headers attack: Attackers use GET or POST request methods to establish a connection with the target server, and then continue to send HTTP header packets without terminators. The target server will keep waiting for the terminator in the request header, resulting in the connection being always occupied. When an attacker makes a large number of such requests, the server resources will be exhausted and the service cannot be provided normally.
Slow POST attack: The attacker sends a POST request message to the target server to submit data. The length of the data is set to a large value, but in the subsequent data transmission, only a small message is sent each time, causing the target server to wait for the attacker to send the data. When an attacker makes a large number of such requests, the server resources will be exhausted and the service cannot be provided normally.
- Protection principle
The DMS protects against Slow Headers attacks by detecting the timeout of the request header and the threshold of the maximum number of packets (that is, there is no terminator "\ r\ n" in the header of the request message for a period of time).
For Slow Post attacks, DMS protects by detecting the threshold of the number of request packets (that is, the length of the POST request packet is set very large, but the length of the data part of the actual packet is very small).
POST Flood
- Attack Introduction
Attackers use attack tools or manipulate zombie hosts to send a large number of HTTP POST packets to the target server, consuming server resources and making the server unable to respond to normal requests.
- Protection principle
DMS detects and intercepts POST Flood attacks through access control policies (such as IP blacklist, IP access rate, etc.) and cookie verification.