About DDoS Protection

A Distributed Denial of Service (DDoS) attack is a malicious act in which the attacker controls a botnet/proxy device to send a large volume of requests or data to the target website or server, resulting in slow loading or even complete inaccessibility for legitimate users.

Leveraging the CDN resource advantages, together with big data analytics and independently developed protection algorithms, CDNetworks detects and mitigates various types of DDoS attack traffic in real time, including both network-layer and application-layer DDoS mitigation, ensuring that the websites remain stable and online even during large-scale DDoS attacks.

L3/4 DDoS Protection

CDNetworks automatically detects and mitigates OSI Model 3/4 layer DDoS attacks by default, including SYN Flood, ACK Flood, ICMP Flood, UDP Flood, various reflection attacks (such as NTP reflection, Memcache reflection, SSDP reflection), etc.

L7 DDoS Protection

DDoS Protection at the application layer is based on the Adaptive Protection engine, combining Managed Protection and Adaptive Protection mechanisms, to ensure the availability and stability of the business through automatic attack detection and dynamic protection policy adjustment when the application layer (such as HTTP/HTTPS) is attacked by DDoS attacks. A detailed illustration of the entire protection mechanism is as follows:

Dual Mechanisms for Coordinated Protection

1. Managed Rule Protection

Based on the massive attack feature database and the experience of attack and protection by the security expert team, the managed rule set presets the rules for common application-layer attacks such as abnormal request parameters, protocol specification violations, and suspicious high-frequency requests. The rule set is deployed on CDNetworks globally distributed edge nodes to support second-level accurate attack matching and blocking.

2. Adaptive Protection

• Automated Attack Monitoring：Based on the capabilities of CDNetworks’ security big data platform, the machine learning model continuously analyzes the business request baseline of the websites, monitors the traffic features, request distribution, origin server response status, and other indicators of hostnames, to determine the attack type, attack intensity, and origin status in real time.
• Adaptive Protection Policies：Automatically switch the protection mode based on the selected protection level and the detected attack status:
  When hostnames are attacked by CC, adaptively enable managed rules for blocking firstly. 
  When the managed rules do not completely block the attacks and the availability of the origin server is still threatened, the system will automatically identify abnormal attack requests and generate protection rules based on the self-developed algorithm, so as to implement multi-dimensional handling such as dynamic IP blocking, human-machine verification, and request rate limiting, effectively mitigating new types of application-layer DDoS attacks to protect the origin server.

Overall Protection Logic

1. Traffic learning begins after hostname accessing: When a new hostname is accessed, the engine will automatically issue a preset threshold according to the selected protection level to ensure that the service can obtain timely protection at the initial stage. Meanwhile, the engine will generate a service-specific protection threshold and AI protection rules through 2-6 hours of domain name traffic learning, and dynamically update them every hour to achieve accurate attack detection and adaptive protection.

2. The first protection line - Edge protection activated with quick blocking: When a hostname is under a small number of CC attacks, the “Enable During Attack” managed rule deployed at the edge node will take effect quickly, achieving attack blocking and handling in seconds.

3. The second protection line - Full hostname protection enabled with large-scale traffic scrubbing: When the system detects an increasing trend in bypassed attack traffic, it will deliver the “Enable During Attack” managed rule in the hostname granularity to implement traffic scrubbing.

4. The third protection line - Adaptive protection rules are generated to protect the origin server: If the system detects that the attacks are bypassed and affects the availability of the origin server, the Adaptive Protection will enhance and strengthen the protection, detect the attack, and issue the corresponding rules according to the specific attack features that have been learned. The currently supported types of AI-related rules are as follows:

• Rate limiting rules are used to protect against high-frequency attacks;
• Empty request header rules are used to protect against attacks where the request header is abnormally empty;
• UA-specific rules are used to protect against attacks with abnormal UA;
• JA4 rules are used to protect against attacks with anomaly aggregated JA4.

5. The attack is over: When the system detects that the traffic of a hostname does not meet the conditions for determining the attack for 20 minutes, it is determined that the attack is over. At this time, the “Enable During Attack” rule will be deactivated, and all the deployed AI-related rules will be deleted.