Hong Kong CN2 gia line high-defense servers, high-speed stability of the enterprise website and security protection of the necessary choice!

Recently and a few friends engaged in business drinks, chatting about the operation of the site of the broken things, a sad face - page loading slow people want to smash the computer, moving traffic attacks on the paralyzed, customer service phone to receive the explosion. These days, if the enterprise website does not have some bottom, simply running naked on the Internet, who dares to come up to kick two feet.

I have been tossing around websites for almost ten years now, and I have touched everything from personal blogs to enterprise applications, and I have stepped on more potholes than I have eaten. So today I simply dig my heart out and talk about why Hong Kong CN2 GIA lineAnti-DDoS ServersThe “magic weapon” has been privately recommended by many veterans. You do not mind me nagging, some details do not break open, you really may spend money.

First of all, the enterprise website that a common problem. On the surface is “slow” and “card”, the root is often in the line and defense.

Many companies in order to save budget, rent a cheap shared hosting or ordinary international lines of VPS, thinking that the set of CDN can be all right. The result? Asian users to access, packets have to go halfway around the world, the delay does not move more than 200ms, the picture loads a three or five seconds, the user ran out of shadow.

What's worse is the security. Now the cost of the attack is so low that it is ridiculous, just a brat can rent a traffic platform to give you a wave of DDoS. I have seen a lot of enterprise station, business just a little bit of improvement, was paralyzed for two days, recovered from the customers are cool. Ordinary servers that defense, in front of the attack with the same as paper, the operator of a cleaning traffic, normal access to follow the disaster.

There is a misunderstanding here, many people think that “high defense” is to spend more money to buy bandwidth. In fact, it is not that simple. The real line of defense is the integration of line quality, hardware firewalls, intelligent cleaning and operation and maintenance response to a set of systems. Hong Kong as a network hub in Asia, the inherent advantages are there - geographically close to the mainland and Southeast Asia, the legal environment is relatively relaxed, the data center level is also high.

But just choosing Hong Kong is not enough, the line is the soul. There are many local carriers in Hong Kong with different lines, some are cheap but detour to Japan and the US, while some are direct but highly volatile. I have tested no less than 20 combinations and finally settled on CN2 GIA (Global Internet Access) from Telecom.

This stuff is sort of dedicated line level quality, with priority routing, low latency, low jitter, and especially friendly to mainland access.

How? Take the data to speak. Last year, I helped a cross-border e-commerce company to migrate to the Hong Kong CN2 GIA line server, and at the same time installed a monitoring script to run for a week. Compared to the ordinary BGP line, the average latency dropped from 145ms to 62ms, and the packet loss rate during the night peak dropped from 8% to almost zero. The following script is what I used to measure the quality of the line, you can run it yourself:

After the run you understand that line optimization is not a metaphysics and the data doesn't lie.

The core of CN2 GIA is that it takes the independent AS4809 network, which has high priority and is not as easy to be congested as the ordinary 163 line. Especially for the enterprise station, the user uploads a file, submits a form, the sense of instant response, can directly enhance the conversion rate.

However, light fast is not enough, have to carry a beating. High-defense servers in the past few years, the water is also deep, some vendors labeled “T-level defense”, in fact, is relying on the upper traffic scheduling, really encountered a big attack on your empty route. I have suffered losses, and then learned a good lesson, must ask for a few details: defense is local or cloud, where the cleaning center, triggering the defense after the switching time, can provide attack logs.

Reliable high defense on the Hong Kong side usually combines a local hardware firewall (such as Arbor or FortiGate) with cloud-based cleaning.

One of the companies I often work with has been tested to be able to withstand a mixed attack of 280Gbps without any jitter in their business. Their strategy is to do traffic fingerprinting at the entrance, malicious traffic is diverted directly to the cleaning center, and normal access goes through the CN2 GIA direct connection. The following is a simplified version of the iptables rule example, used in the front-end of the server to do auxiliary protection:

Of course, these rules are just skin deep, really carry a large amount of traffic still have to rely on the supplier's hardware stack. But you know a little bit about the underlying configuration yourself, at least you can break with customer service, not to be fooled.

Speaking of which, we have to talk about CDN, some enterprises think that the use of CDN can rest easy, in fact, it is not. CDN is mainly to accelerate static resources, dynamic requests (such as database query, user login) still have to go back to the source to the server. If the source station line is bad, CDN nodes and then more useless. I generally recommend that the source station with Hong Kong CN2 GIA high defense, coupled with a high-quality CDN service, static and dynamic separation, the effect is cracked.

For example, 08Host is a company that I've been using for a recent project. They have the advantage of having a large number of Asian nodes and a smooth interface with the CN2 GIA line. You can customize their console back to the source policy, so that dynamic requests to take the exclusive GIA channel, to avoid detours. I once did a stress test, the source station did not open the cache, purely by CDN07 intelligent routing, the overall loading time of the page is less than the previous use of other home fast 40%.

Configuration is not complicated, and in the case of Nginx, you can optimize the back to source settings in this way to ensure that dynamic content takes the high speed route:

Don't believe those “one-click optimization” ads. Server performance has to be tailored to your business. For example, if you have a database-driven website, you'll have to spend resources on memory and IOPS; if it's a media station, then bandwidth and storage cache are key. Hong Kong CN2 GIA high defense servers usually offer SSD arrays and plenty of memory options, and I'm used to throwing a benchmarking script up first to get a feel for the bottom line:

After running this set of data, you will be able to see whether the vendor has false labeling hardware. I have encountered some vendors labeled with “high-performance SSD”, the actual IOPS only a few thousand, purely fooling people.

Security, high defense servers in addition to carrying DDoS, but also to prevent vulnerabilities. A lot of enterprise station with the old CMS, a bunch of plug-ins, vulnerabilities. I suggest getting the server to do three things first: update the kernel, configure the firewall, set up file monitoring. Don't mind the hassle, your lazy are the entrance of the attacker later. For example, use aide to do a file integrity check, run once a week:

Tossing so much, is it worth it or not? I'll give a blunt conclusion: for business websites, especially those facing Asian customers, a Hong Kong CN2 GIA high defense server is not a luxury, it's a necessity. It is expensive, but amortized into the cost, may be equivalent to less than half of the recruitment of customer service, or less money to lose a few orders. Stability goes up, the user viscosity naturally come; security is guaranteed, you do not have to get up in the middle of the night to put out the fire.

One last word of caution: keep your eyes peeled when choosing a provider. Look for those that provide real test IPs, and personally run them with a multi-location ping tool. Read the SLA terms in the contract, and see if the defense includes “second switching”. Don't just look at the advertisements. In the technology business, real performance is the hard truth.

My own main projects are now placed on this type of configuration, easily carry the daily business and occasional attacks. To put it bluntly, a corporate website is like a digital facade. If you build a thatched roof that leaks in the wind and rain, will customers dare to come in? Investing some money in infrastructure definitely pays off in the long run.

Well, the experience will chatter here, the specific how to choose, but also you have to weigh according to the business. Any questions, feel free to chat.