You may think that your own business is small, hackers do not see. I advise you to put an end to this idea before it is too late, now the attacks are automated, no matter how big your company small website, scanning to the vulnerability is a mess of beatings. What's even more annoying is that some competitors engage in underhanded tactics, specializing in spending money to hire people to hit your server, these days, even the CDN have to “prevent teammates”, you say the heart is not tired of heart?
So we don't do the whole thing today, just nag how to make the business network stable. I have been tossing servers for more than ten years, from my garage to help public companies to do the architecture, stepped on the pit than some people have traveled the road more. To tell you the truth.Multi-line BGP High Defense ServerThis stuff, use it sooner rather than later, don't wait for something to go wrong and then pat yourself on the back.
Let's start by breaking down what the problem is. Business network instability, to put it bluntly, there are two things: one is the road is impassable, and the second is too many thieves. Road refers to the network line, the domestic network environment, South Telecom North Unicom, plus a mobile in the middle, you want to use a single-line server, then wait for the user to curse. I have tested, the same page, telecom users open 1 second, Unicom users may have to wait 5 seconds, the experience is not half a star.
Too many thieves make it more of a headache.DDoS attacks are now like buying groceries, a few hundred dollars can buy an attack service. WhatSYN Flood,HTTP Flood,CC attackThere are so many tricks you could write a book about it. Ordinary servers that little protection, just like paper, a stab will break. I have seen the most tragic case, an e-commerce promotional day was continuously attacked for 48 hours, the direct loss of more than three million dollars, the person in charge of technology resigned on the spot.
Don't believe those who sell cheap servers bragging about what “free 5G protection”. I have tested, really come to 10G traffic, they immediately give you a black hole routing, to put it bluntly, is directly disconnected from the network, tube you normal or not normal traffic all lost. This is called protection, this is called a rotten.
The right solution is also a professional multi-line BGP high defense server.BGP is something you can understand as the intelligent navigation system of the network world. It allows your server to access multiple carrier lines at the same time, and then according to real-time network conditions, automatically direct user traffic to the fastest road. Multiple lines are multiple highways running in parallel, and BGP is the navigator who knows the road best.
The high defense part, on the other hand, is real hard work. It is not simply hanging a firewall in front of the server, but a whole set of cleaning system. After the malicious traffic comes in, it will be pulled to the specialized cleaning center, like gold panning to filter out the dirty data, and then send back the clean ones. I helped a game company last year to configure the program, hard to carry a continuous week of mixed attacks, the peak traffic rushed to 800G, business page as usual, the player did not feel.
I have to expand on the technical details, otherwise you always think I'm fooling around.BGP configuration is not child's play, it is directly related to the whole network routing declaration. The following clip, commonly used in actual debugging, shows how to establish a peering session with two carriers:
In this configuration, the higher the local-preference value, the higher the routing priority. I used to set the telecom higher, because the actual test in the telecom link abroad more stable, but specific depends on your business user distribution. If you get it wrong, it may slow down the speed.
High-defense configurations are more of a test of experience. Hardware firewall rules, traffic baseline learning, human-computer authentication strategies, all have to be layered on top of each other. For example, to deal with CC attacks, I often add dynamic blacklist module in Nginx, with kernel parameter tuning:
The code is not for you to copy, each server business is different, the parameters must be slowly grinding. I debugged this set of things, often stay up all night, but the effect is immediate - the same hardware, optimization before and after the bearing capacity can be out of ten times.
Data comparison can best illustrate the problem. I have a customer case in hand, before and after the migration indicators are scary: ordinary single-line servers, the average monthly encounter 3 small-scale attacks, each downtime of about 2 hours, the difference between the national access latency up to 150ms; change the multi-line BGP high defense servers, half a year only triggered a high level of protection, automatic cleaning is completed, zero interruption of the business, north and south latency difference is compressed to 15ms. This investment, is it worth your own calculation.
When it comes to specific service providers, the market is a mixed bag. Some of them are labeled as “BGP”, but in fact, they are just DNS tiering, not BGP at all, and the real BGP must have its own AS number, and can be interconnected with various carriers. I've used a lot of them over the years, and honestly, there aren't many that are stable. Like08HostThis, I started three years ago with their high-defense BGP server room, the most convincing is the line redundancy to do hard - connected to eight carriers, but also self-built backbone network bypass. Once the municipal construction dug up the fiber optic cable, other server room paralyzed a piece of his home froze through the backup route automatically switched, the customer even a jitter did not feel. Of course, the price is really not cheap, but the boss said well: “Network stability, I can sleep.”
In terms of protection capabilities, now reliable high defense servers have to have T-level cleaning capabilities. I have tested, really to the attack is coming, cleaning center location distribution and algorithm intelligence is the key. Overseas traffic to go overseas nodes to wash, domestic traffic to wash at home, do not mix, otherwise the delay can make you collapse. Cleaning strategy must also be flexible, such as small packet attacks for the game industry, the financial industry precision CC, must have a special plan. I once debugged with the engineers of 08Host, they embedded the AI behavior analysis model directly into the cleaning chain, the false positive rate down to 0.1% or less, the level of domestic few can do.
There are still a few pits I have to remind you. First, BGP session stability monitoring can not be less, I used to use Smokeping with custom probes, five minutes a check, drop the line immediately alarm. Second, high defense is not everything, the application layer vulnerability still have to fill their own, do not think that on the high defense can lie flat. Third, the backup line must have, I have suffered losses, once superstitious operator, the results of regional failures, my business followed the gun, now at least two different physical routes to prepare access.
There is no getting around the cost issue. Multi-line BGP high defense servers, the monthly cost from a few thousand to hundreds of thousands of dollars, depending on the size of your business and the level of protection. But you think ah, a large-scale attack led to direct losses, customer loss, brand damage, which is not money? I've helped a lot of customers to do the math, on the high defense, the proportion of more than 70% of the year back to the capital. This is a good deal.
Lastly, a quick note. Network security business, always in the battle of wits. Attack means in the evolution, protection technology must also follow the run. But all changes do not follow the same thing, the infrastructure is solid, let him wind and waves. Multi-line BGP high defense servers, that is the needle of the sea. Don't hold on to your fingers crossed. Just because you didn't get hit today doesn't mean you can still get away with it tomorrow. Early deployment, early peace of mind, sleep at night without having to listen to the alarm with ears open.
In short, if you want to establish your business online, you have to be fast and hard to protect your network. This is a simple truth, but to do it, you have to make real efforts. I put the dry goods are spread here, the specific how to choose, how to match, but also according to your own situation. Have questions at any time to nag, but the premise is - you first move up, the server that the whole mess of things understand it. Steady as a mountain is not a dream, but from the feet of the first stone pad.