Alibaba Cloud International Anti-DDoS Pro: How to Completely Block Malicious DDoS Attacks from Foreign Trade Peers?
The most disgusting thing about being an independent foreign trade station or cross-border e-commerce is not that orders are robbed, but that
Peer hang up to fuck you
.
You have just invested tens of thousands of Google advertising fees, and the traffic is about to take off. Suddenly the website is stuck, the 502 reports errors, the advertising fees are burned in vain, and all the customers have run away. Looking backstage, the server bandwidth was instantly pushed to dozens of G's, which made it clear that peers hired hackers to use it.
DDoS (Distributed Denial of Service)
Smash your job.
Foreign trade stations are generally built overseas. Faced with this kind of traffic bombardment of hundreds of 10. and hundreds of g, ordinary overseas cloud servers (such as ordinary bricklayer, DigitalOcean and even Aliyun ordinary overseas ECS) cannot carry it at all and will be directly carried by the computer room.
Black Hole (Shielded IP)
.
At this moment,
Alibaba Cloud Anti-DDoS Pro (Anti-DDoS Pro/Premium)
It's your "body armor". Today, I won't talk about those profound official rhetoric. I'll use vernacular and practical logic to talk about how to use it to completely block the malicious attacks of my peers.
Core underlying logic: How does Anti-DDoS High protect your life?
Before you configure it, you need to understand how it works. Why does it prevent attacks?
In short, it is "body double to block the knife and hide the real body".
If there is no high-security IP address, your domain name is directly resolved to the IP address of the origin server. Peers only need to check the domain name to know your real IP, and then buy traffic to bomb your server directly.
After accessing the high-security IP: your domain name is resolved to the high-security IP of Aliyun. High-security IP is like a huge "flow purification plant".
All access traffic (including junk traffic from normal customers and hackers) will pass through this high-security IP address first. Aliyun has a huge bandwidth reserve overseas. It will directly clean and discard hundreds of gigabytes of garbage traffic at the node, and only forward clean and real customer traffic back to your origin server through the intranet.
Practical Guide: Four Steps to Completely Intercept Malicious Attacks
Foreign trade websites are connected to Aliyun International Edition High Protection IP, and the core process is actually four steps. Follow this logic and it will take half an hour.
Step 1: Buy and choose the right version
Log in to the background of Aliyun International Edition, search
Anti-DDoS
. At this time you will face two version choices:
New World (Anti-DDoS Premium)
and
Hong Kong, China (Anti-DDoS Pro)
.
Foreign trade selection iron law: If your target customers are all in Europe, America, Southeast Asia, the Middle East and other overseas regions, decisively choose the New World (Premium) version. It utilizes a global near-source wash, a European attack wash in Europe, and a North American wash in North America, with fast speeds and low bandwidth costs.
According to the severity of peer attacks, choose the guaranteed bandwidth (such as 20Gbps or 50Gbps). If the peer is just making a little noise, the guaranteed bandwidth is enough. If the other party is crazy, you can turn on flexible protection.
The First
Step 2: Add your website in the background of high defense (choose four layers for non-website business)
Foreign trade independent stations (Shopify self-built, Wordpress + WooCommerce, Magento, etc.) are all HTTP/HTTPS services and belong
Seven-Layer Protection
.
Enter the high security console, click Provisioning (fill in the website information).
Fill in the domain name: for example (www.yourstore.com)
Protocol Type: Select HTTP and HTTPS (currently, all international trade websites must use the HTTPS protocol).
Origin Server IP: Enter the actual IP address of your current server.
Step 3: Certificate and Security Policy Configuration (Critical)
Many foreign trade people died in this step: the high defense is well equipped, but the website cannot be opened, or the certificate is wrong.
Upload an SSL certificate: Because Anti-DFSS must be able to clean HTTPS traffic for you, it must be able to decrypt the traffic. Therefore, you need to upload the SSL certificate (public key and private key) of the website to the Alibaba Cloud high-security background. Rest assured, this is safe.
Turn on CC protection: in addition to blocking the door with large traffic (DDoS), the most common way is to use massive proxy IP to brush your search page and shopping cart, which is called CC attack. In Anti-DDoD, set CC security protection to Normal or Strict ". Aliyun will automatically identify those robots that refresh dozens of times a second and directly pop up the verification code.
Step 4: Modify DNS Resolution (Effective)
After all the matching, ariyun high defense will give you one
CNAME address
(or a dedicated IP of high security).
Go to the background of your domain name resolver (such as Godaddy, Cloudflare, or Aliyun DNS):
Delete the record that originally pointed to your server IP.
Change to a CNAME record, pointing to the long CNAME address given to you by Alibaba Cloud Anti-DDS.
After the analysis takes effect in a few minutes, global access will go to Aliyun high-security first.
Pit Avoidance Guide: Why did you do high defense or was you attacked?
Many foreign trade bosses came to complain: "I bought a high defense, why is the website still dead?"
90% of it is because of you.
Source IP address leaked
. Hackers bypassed the high defense and went directly to hit your real server. The following three dead holes must be blocked:
1. After changing to high-security, the source station IP must be replaced (most important!)
Before accessing the high security, your old IP has been thoroughly understood by your peers. Although you have changed domain name resolution to high defense, your peers can directly modify the local hosts file or directly bomb your old IP with tools, and your server will die.
Correct approach:
After accessing high defense, go to the background of the cloud server and replace the IP of the server (or ask customer service to change the work order, or directly migrate the mirror image to the new server
). The new IP must not let anyone know, only fill in the background in the high defense.
2. The server firewall only allows high protection back to the source
Your new server IP, theoretically only Aliyun high-security know. In order to prevent hackers from blindly hitting your new IP with "IP segment scanning", you need to set rules in the server's independent security group (Firewall):
Only the back-to-source IP segment of Alibaba Cloud Anti-DDoS Pro is allowed to access your server, and all direct requests from other unknown IP addresses are rejected. (Alibaba Cloud background can find the back-to-source IP list of Anti-DDoS Pro)
3. Pay attention to the disclosure of IP in outgoing emails
If your foreign trade station will automatically send inquiry reply and verification code registration email to customers, and you are using the server's own email service (such as postfix), then the email header source code will directly expose the real IP of your server!
Correct approach:
You must connect to a third-party email push service (such as Mailgun, SendGrid, or Alibaba Cloud email push) to send emails to the third-party server.
Summary
Malicious competition among foreign trade peers is indeed disgusting, but there is no need to worry. Malicious DDoS attacks, to put it bluntly, are hackers "burning money" to buy traffic.
When you connect to Aliyun International Edition High Defense IP and completely hide the source network IP, the attack traffic of your peers hits several T-level defense walls of Aliyun, just like water drops into the sea and cannot even turn over a spray. When he finds out that the hacker service that has burned thousands of yuan, your website is still open in seconds and orders are entered, he will give up voluntarily because he cannot afford the cost.
Do cross-border, security is the bottom line. Keeping your website is keeping your cash flow.
