Last update:2025-05-22 18:33:16
Distributed Denial of Service (DDoS) attacks are malicious acts where attackers control zombie networks/proxy devices, etc., to send a large amount of requests or data to the target website or server. This results in slow loading when normal users access the website, or even completely unable to access. CDNetworks’s DDoS protection relies on the advantages of CDN resources, combined with big data analysis, independently developed protection algorithms, real-time detection and cleaning of all kinds of DDoS attacks, ensuring the website can remain stable online even in the face of large-scale DDoS attacks.
Once you turn on DDoS protection, CDNetworks will automatically detect and mitigate DDoS attacks on your website. You can also adjust and optimize the DDoS protection policies as needed.
CDNetworks automatically detects and mitigates OSI Model 3/4 layer DDoS attacks by default, including SYN Flood, ACK Flood, ICMP Flood, UDP Flood, various reflection attacks (such as NTP reflection, Memcache reflection, SSDP reflection), etc. To protect the platform infrastructure and the availability of all customers, this protection is turned on by default and cannot be turned off.
DDoS Protection at the application layer are based on the intelligent protection engine, combining Managed Protection and Adaptive Protection mechanisms, to ensures the availability and stability of the business when the application layer (such as HTTP/HTTPS) is attacked by DDoS attacks through automatic attack detection and dynamic protection policy adjustment.
Based on the massive attack signature database and the experience of attack and defense confrontation by the security expert team, the managed rule set presets the rules for common application-layer attacks such as abnormal request parameters, protocol specification violations, and suspicious high-frequency requests. The rule set is deployed on CDNetworks globally distributed edge nodes to support second-level accurate attack matching and interception.
Automated attack monitoring:Based on the capabilities of CDNetworks security big data platform, the machine learning model continuously analyzes the business request baseline of the websites, continuously monitors the hostname traffic characteristics, request distribution, origin server response status and other indicators, to determine the attack type, attack intensity and origin server status in real time
Adaptive protection policies:Automatically switch the protection mode based on the selected protection level and the detected attack status:
Hostname access, learning begins: When a new hostname is accessed, the engine will automatically issue a preset threshold according to the selected protection level to ensure that the service can obtain timely protection at the initial stage. Meanwhile, the engine will generate a service-specific protection threshold and AI protection rules through 2-6 hours of domain name traffic learning, and dynamically update them every hour to achieve accurate attack positioning and adaptive protection.
The first line of defense - Edge defense activated, quick interception: When a hostname suffers a small number of CC attacks, the “Enable During Attack” managed rule deployed at the edge node will take effect quickly, achieving attack interception and handling in seconds. Managed rule mode details can be found in the rule mode below.
The second line of defense - Full hostname protection enabled, a large number of cleaning: When the system detects that the attack traffic continues to increase, it will deliver the “Enable During Attack” managed rule in the hostname dimension to implement attack traffic cleaning.
The third line of defense - Adaptive protection rules are generated, protect the origin server: If the system detects that the attack still misses and affects the availability of the origin server, the AI intelligent protection will enhance the protection, locate the attack and issue the corresponding rules according to the specific attack characteristics that have been learned. The currently supported types of AI rules are as follows:
The attack is over: When the system detects that the traffic of a hostname lasts for 15 minutes and does not meet the conditions for determining the attack, it judges that the attack is over. At this time, the “Enable During Attack” rule will be deactivated, and all AI rules will be deleted.
After enabling Anti-DDoS at the application layer, you need to select the appropriate protection Level according to the needs of different business scenarios. Each level will affect the attack detection sensitivity and AI rule generation threshold. Refer to the following table for the selection of level:
Level | Protection Effect | Application Scenario | Attack Detection Sensitivity | Adaptive Protection Rule Generation Threshold |
---|---|---|---|---|
Loose | By default, the AI engine blocks specific malicious attacks that are known, and it only starts adaptive protection when it detects that the availability of the website is significantly reduced due to attacks. The probability of false interception of normal requests is extremely low. | It is suitable for websites with a large number of requests and strong processing capabilities, or special business scenarios such as an activity. | Low (Required Condition: The system detects a significant drop in the availability of the origin server) | Middle |
Moderate (Recommended) | It can effectively protect against common malicious attacks and adapt to most business scenarios. | It is suitable for websites with stable request volume and normal business processing capabilities. | Middle | Middle |
Strict | Enable strict protection policies for malicious attacks, which may lead to partial false blocking. | It is suitable for websites with a small number of requests and weak processing capabilities, or suitable for business scenarios with strict cleaning requirements. | High | High |
Note: Since the AI engine automatically determines whether a hostname is under CC attack based on metrics such as the request volume and availability of the domain name, and the activity scenario is often accompanied by high request volume and reduced availability, there is a high possibility of false positives, and it is recommended to manually adjust the policy before the event to avoid false positives
In most cases, we recommend that you enable managed rule protection by default and leave the related action and rule mode as they are.
If your business expects a legitimate traffic surge (e.g., a big promotion, a new product launch), you can avoid false interceptions by adjusting the configuration items of the managed rules. There are two types of configuration items.
Action | Description |
---|---|
Deny | Intercept request and respond to a 403 |
Log | Only logs are recorded, and requests are not processed |
DDoS Managed Challenge | Dynamically select the appropriate way to challenge based on request characteristics, including Cookie validation and JavaScript validation |
Deny Connection | Releases established TCP connections with clients and rejects new connections |
Rule Mode | Description |
---|---|
Default On | Always in effect regardless of whether an attack is detected |
Enable During Attack | When the intelligent engine detects an attack on a hostname, it enables the rule for this mode |
Essentially Off | Only when the intelligent engine detects that the hostname has been attacked and the scale of the attack has affected the performance of the node infrastructure, the rules of this mode take effect |
Not Used | Never in effect regardless of whether an attack is detected |
Managed rules with the action “DDoS Managed Challenge” will perform Cookie Challenge or JavaScript Challenge based on request characteristics, and is only applicable to Web/H5 webpage type websites. If your website is a native App/hybrid App/callback API or other businesses, you need to make an exception for the request characteristics of the App/API to avoid causing a large amount of false positive.
Type | Description | Need to add an exception? | Note |
---|---|---|---|
Native App | Use the official development languages, development libraries, and tools of Android and iOS Platform for development. For example, Android’s Java language and iOS’s object-c language. | Generally no exceptions are needed. | The managed rule whose action is “DDoS Managed Challenge” only takes effect for the browser’s User-Agent (Mozilla or Opera). If you are a native app and use the browser’s User-Agent, you need to add exceptions. |
Hybrid App | It uses the development technology of native app and also applies HTML5 development technology. It is a hybrid application of native and HTML5 technology. | An exception is required. | Exceptions should be made based on the characteristics of your hybrid APP. When native page requests and HTML5 page requests have distinctly different characteristics, it is recommended to only make exceptions for the characteristics of native page requests, such as User-Agent=AppName/1.0.0 (Android; 10; Pixel 3) okhttp/3.8.1. |
Callback API | When a certain event occurs, the system automatically calls the registered callback function to process the related data. Such as payment callback API, data sync callback API, etc. | An exception is required. | Exceptions should be made based on the characteristics of your callback API, such as URI=/api/callback. |
Other Program API | Other program APIs that do not support “DDoS Managed Challenge”. | An exception is required. | Exceptions should be made based on the characteristics of your program API, such as URI=/api/other. |
Specific configuration methods refer to: Set App/API Exceptions
The configured App/API exceptions only apply to managed rules with the action “DDoS Managed Challenge”.
When Adaptive Protection is enabled, the engine will automatically issue corresponding rules for protection according to the selected protection level and attack characteristics. Usually, it is recommended that you turn on it and keep the mode as protection to ensure the best protection effect.
If you want to observe and analyze traffic characteristics in advance; If you need to reduce the risk of false interception in case of attack, you can adjust the relevant intelligent Mode based on the actual business requirements. The selection of the mode will determine the action of the rules issued by the engine, and the comparison relationship and specific description are shown in the following table:
Mode | Corresponding Action | Description |
---|---|---|
Protect(Default) | Deny | The rules directly block requests that hit the rules |
Protect(Managed) | DDoS Managed Challenge | Based on the request characteristics of the web client, the system adaptively triggers the cookie or JavaScript verification mechanism, so as to effectively reduce the false interception rate in this scenario |
Monitor | Log | Only requests that hit the rule are logged in the attack log |
By viewing the name of the intelligent protection rule, you can quickly locate the attack type in the operation scenario. Rule naming method: AI_
Because attackers tend to bypass defenses by constantly changing attack signatures, and to reduce the risk of false interception when there is no attack, adaptive protection rules are generated only during attacks and automatically deleted 15 minutes after attacks stop. If you analyze that a certain protection rule can effectively protect against multiple attacks, you can manually configure it into Custom Rules or Rate Limiting according to the rule information description to continuously protect the website. You can view the rule deployment history by: