Move 2 websites to Aliyun, one is because the Aliyun is stable, and the other is the roaring Cloud shield. In the Blog Federation group before the simulation of CC attacks built on the Aliyun ECS on the blog, the results Yun Dun no response, and the site has been hung.
This time deliberately look at the CC protection function on the cloud shield, found that some friends do not estimate the correct use of WAF. Therefore, in this article I simply share the Aliyun Shield-waf site Defense of the correct use of the method.
First, the Domain name analysis
Most of the friends, just opened the cloud shield on the matter, which is also a lot of friends after the CC attack, Yun Dun but no response to the reason. In fact, WAF defense must be used in conjunction with domain name resolution.
Aliyun's WAF site defense is actually equivalent to no caching mechanism of Baidu cloud acceleration or 360 site guards, but only with the CNAME access mode, follow-up will be combined with million network resolution, the new NS access mode is unknown:
As shown above, to open the WAF site defense, you must be in the domain name resolution, the host records CNAME to the CNAME address generated by the cloud Shield. This is where the user visits the site:
User browser → Domain name resolution →cname to Cloud Shield server → source server
When the attack, the flow will pass through the Cloud Shield node, and trigger the cleaning mechanism, play a cc/ddos protective role.
Of course, there are some friends know WAF use method, but may be based on SEO considerations, these friends will only be attacked when the site will be modified to CNAME resolution, because CNAME resolution to Aliyun WAF domain name, IP is not fixed, this and the cloud acceleration and so is consistent, However, unfortunately WAF and no search engine automatic back to the source mechanism, so the use of CNAME, the frequent changes in IP will cause bad effects on SEO!
As shown in the following figure, after using WAF, the website IP becomes the Cloud Shield node IP:
So how do we solve this problem? Must have seen the Zhanggo blog on an article of friends have already understood the heart of it? That's right! And the record does not affect SEO practices the same: the default line cname to Aliyun WAF address, and then add a search engine line, designated to the source server IP can! This will allow long-term open cloud shield WAF defense, and does not affect SEO!
This thought, Baidu's own cloud accelerated analysis, the search engine line judgment should be the most reliable (for do Baidu Traffic website), after all, is their own products, what spider IP, are clear, not wrong! But the actual test found that Baidu cloud acceleration currently does not support the CNAME default line at the same time, the new search engine lines, will prompt the record already exists!
Ps: The taste of a taste version of Baidu Cloud acceleration is supported, address is http://next.su.baidu.com, interested can be tested under their own.
Later carefully think, although Baidu to their own spiders understand thoroughly, but for the other several? Like Sogou, like 360? I guess it's a half-baked. In the integrity considerations, I recommend using dnspod parsing, for no other reason, see diagram:
Dnspod and Baidu have had cooperation, so there is a Baidu exclusive line, additional search engine lines, presumably than Baidu cloud faster collection of spider IP More perfect it!
So, the correct parsing looks like this:
This analysis not only can be assured to use Aliyun WAF defense, you can also hide your site real IP, to avoid the source station was attacked only the embarrassment of IP (through the local resolution of the hosts attack, what CDN Protection has no effect!) ）
Second, protection settings
May have opened the Yun Dun, also correctly resolved the domain name, but was CC attack, Yun Dun or no response?! You actually have to set up the DDoS protection advanced setting, because the Cloud Shield default DDoS protection threshold is still too high, as follows:
Cleaning trigger Value: Request Traffic per second: 180M per second message number: 30000 HTTP requests per second: 1000
We set up in the Aliyun small blog, most of the bandwidth is only 1~2m, 2M request traffic or 100+ concurrency has already put your site played Xiang slightly! So many friends even if the right to open the WAF defense, was attacked when it is very card!
Therefore, we must set the threshold according to the traffic of our website.
Looked at, the lowest request flow is 10Mbps, that is, 10M bandwidth, so the general ECS server is not enough to see, because the water pipe is too small. Therefore, we need to set another threshold: HTTP concurrency request.
For my 1M bandwidth of ECS, I believe that 100 concurrent has been stuck out of the Cheung. So, we consider setting under 50:
Ps: Of course, the CDN Static and dynamic separation of the site can be set to 100 +, such as the use of seven CDN friends, in short, according to the actual situation.
Threshold is only the premise of the trigger, the following also has a trigger after the cleaning limit, that is, when the discovery of the concurrency exceeded the threshold, Cloud shield to visit the single IP to do the number of connections, over this limit to return 503:
In principle, after the purge threshold is triggered, the number of single IP connections is limited to a minimum, but the normal access is not blocked outside the door. So how to define this limitation depends on the actual situation! Of course, you can simulate the attack to test a reasonable limit, but also have to consider some local area network public network IP internet access (depends on the site of the audience).
See this, I believe that a lot of friends with Aliyun server has been harvested it? In my opinion, the use of Aliyun WAF the role of the main 2, one is the basic DDoS protection, the other is to hide the real IP site. When your site is often attacked, and Yun Dun can not completely clean, we also in this article on the basis of a layer of Baidu cloud acceleration, usually not attacked, Baidu cloud acceleration settings back to the source, close the acceleration can be, the specific approach I do not say more, look at the picture that understand:
The site access mode for this scenario is as follows:
user browser → Domain Name Resolution → Baidu Cloud acceleration node (cache open) → Aliyun shield node → Source server
Of course, this program only applies to Baidu Cloud Accelerated 3.0 taste version, Address: http://.su.baidu.com/, interested in their own to study it! Just write so much, wash and sleep.
Latest additions: Several times to mention the work list, only to find out that the Cloud Shield DDoS and WAF are 2 different functions, it seems that I understand the wrong! Finally, under the correct, DDoS dd/cc protection and WAF settings are not related, that is, you do not set the WAF CNAME also does not matter, as long as the DDoS protection on the open! Therefore, the part of this article is not in place, but it must be explained that the reference to open WAF after this article, it is true to hide the real IP magical magic! It is highly recommended to use!