Cloud Integrated Defense Solution

Based on security research achievements for years, JD helps the user effectively prevent DDoS attack from the Internet and the attack to the Web application layer, and provides CDN acceleration service.

Scheme Specification

  • Proprietary Cloud of E-government Affairs

    The government proposes strict self-control requirements for data use, transmission and storage.

    • The coordinative defense mode of unusual cloud access can meet the self-controlled compliance supervision requirements for data by the government.
    • One-click cloud access meets the product usability and convenient operation and maintenance requirements of the government.
  • Enterprise-class Data Center and IDC

    Help the enterprise solve the problems of security and controllability of sensitive data, continuous guarantee of local business and service adaptation of value-added scenario.

    • The cloud provides the attack traffic cleaning capacity as high as 400G, effectively guaranteeing continuity of the user’s service.
    • The linkage of local protection + cloud cleaning resources meets the demand for output scenarios by IDC or security value-added service.
  • Other On-line Business

    Support the anti-DDoS, WAF, DNS Resolution access, Anti-DDoS Pro, cross-web CDN acceleration and distribution service for industrial users and individual users.

    • Enterprise Portal Website
    • Online Games
    • Online transaction settlement and online payment of Internet Finance
    • Online Bank and Online store
  • Public Cloud Business of JD

    The users enjoying public cloud products and services of JD are allowed to use the Anti-DDoS Basic module for free. This module provides the 2Gbps protection capacity, supports the linkage with the JD Cloud Anti-DDoS Pro module and Cloud WAF, and provides the overall protection capacity to services of JD Cloud users.

    • Website, Database and Storage System Built on JD Cloud
    • Enterprise Portal, Payment, Settlement and Transaction System Built on JD Cloud
    • Enterprise E-commerce Platform, Business Bus, Registration and Subscription Interface Service Built on JD Cloud

Solution Architecture

Architecture Description

100Gbps DNS protection capacity CNAME and NS access Single-point defense capacity exceeding 400Gbps Local protection + one-click cloud access Accurate identification and intercept traffic flooding, abnormal packet, request forgery, slow-speed connection, CC attack, etc. High-efficiency defense SQL injection, XSS cross-station script, malicious path cross, website malicious code, website tampering, etc.

Typical Scenario

Fusion Defense Model

Typical Scenario: When the CDN acceleration scenario is used by the customer, the anti-DDoS protection capacity is lacked. However, the pure serial Anti-DDoS Pro+CDN cannot play the acceleration effect.

Solution: Provide static local acceleration service and dynamic back-to-origin acceleration service to the user’s origin server contents, further promote the user’s access experience, carry out real-time linkage with Anti-DDoS node in case of large-scale DDoS attack to any CDN FastNode, realize attack traffic lead and normal back-to-origin, and keep the user’s service continuity from influence by DDoS attack. When the attack is released or stopped, the best CDN node will be dynamically scheduled to protect the user’s experience and realize no-perception experience to the user in all process.

Use of Products: Anti-DDoS ProCDNJD Cloud DNS

Linkage Defense Model

Typical Scenario: The enterprise’s local IDC machine room lacks of security protection measures; the local service and website are prone to SQL injection attack, XSS cross-station attack and other application layer attack; and the independently-deployed protection device cannot withhold massive DDoS attacks.

Solution: Deploy security detection and protection components for local machine rooms of enterprises and provide basic security protection capacity. When the local machine rooms are subject to the large-scale traffic attack, the traffic can be migrated to the cloud by the one-click cloud access function, ensuring the DDoS attack cause no influence to local output bandwidth and other services and guaranteeing continuity and availability of attacked services.

Use of Products: Anti-DDoS ProWeb Application FirewallJD Cloud DNS

Local Online Deployment Mode

Typical Scenario: 1. The traffic is forwarded to the cleaning cluster, processed and then forwarded to the WAF/Cache cluster. 2. The WAF/Cache cluster forwards the safe traffic to the origin server. 3. When the traffic detection cluster finds any mass-traffic attack, the cloud linkage mode will be enabled. 4. The cloud DNS scheduling center will lead the traffic to the cloud Anti-DDoS Pro center. 5. The Anti-DDoS Pro center will forward the filter pure traffic to the original network.

Solution: The traffic detection cluster adopts the bypass deployment that only the traffic image is accessed; the traffic cleaning cluster and the Waf/Cache cluster supports the bypass BGP mode, increasing fault tolerance; the lead is made as required to ensure high availability of service, effectively protect the user’s experiences; and the automatic emergency cloud access and the manual one-click cloud access are supported with flexible configuration, thus relieving the operation and maintenance personnel.

Use of Products: Anti-DDoS ProWeb Application FirewallDomain Name Service

Local Bypass Deployment Mode

Typical Scenario: 1. When there is no attack, the traffic will be forwarded to the service station.2. When the traffic detection cluster finds any attack, an instant notification will be given to the cleaning cluster for BGP migration (a fine routing with 32-bit mask, with the clearing cluster become the next hop of the traffic to the attacked target).3. The traffic cleaning cluster supports the injection of pure traffic to the original network.4. When the traffic detection cluster finds a lot of traffic attacks, the cloud linkage mode will be enabled immediately.5. The cloud DNS scheduling center will lead the traffic to the cloud Anti-DDoS Pro center.6. The Anti-DDoS Pro center will forward the filter pure traffic to the original network.

Solution: The traffic detection cluster adopts the bypass deployment that only the traffic image is accessed; the traffic reinjection can support two methods, i.e. the policy route reinjection and the three-layer reinjection; the lead is made as required to ensure high availability of service, effectively protect the user’s experiences; and the automatic emergency cloud access and the manual one-click cloud access are supported with flexible configuration, thus relieving the operation and maintenance personnel.

Use of Products: Anti-DDoS ProWeb Application FirewallJD Cloud DNS

Advantages

  • Full Service Adaption Capacity

    Based on the deep understanding to the service scenarios of several industries, JD is able to generally adapt to and meet demands of security protection and content acceleration for several service scenarios, as the government, the finance, IDC, the game, the E-commerce, the Internet etc. It can provide diverse product statuses and APIs and meet requirements of security compliance, operation and maintenance, business development and others of different industries.

  • Compliance and Regulatory Compliance

    The local component provides the attack detection and protection capacity. In general, requests and response data do not pass the cloud node and will be migrated only when the attack traffic is too large. The coordinative defense mode of unusual cloud access can meet the self-controlled compliance supervision requirements for data by the government and the finance industry.

  • Smart Defense-in-Depth

    Transversely provide the maximum defense-in-depth extending from the network border to the machine layer and longitudinally connect and make linkage between the user’s local protection component and cloud resources: • On the basis of JD Cloud smart scheduling command system, the smart linkage between the Anti-DDoS node and CDN is realized and the acceleration effect is guaranteed at the maximum degree; • Integrate cloud situation awareness and threat intelligence, positively response and predict service security trend and provide data reference and support to analysis and decision; • Integrate big data of attack event/network trace and attackers’ behavior profiling, helping the user to set up a service confidence curve and reducing false positive and false negative.

  • Interface and Data Opening

    Structural original protection log data can be provided to the user for reference, helping the user complete the security incident response and analysis in a more efficient way. Meanwhile, diversified APIs are provided to provide support to the value-added security service output scenario.

  • Dynamic Optimal Operation

    The functional modules of Anti-DDoS, WAF, CDN, etc. can realize seamless integration and linkage, support realization of smart dynamic scheduling depending on the user’s real service scenario, perfectly solve the problem of the global acceleration effect destruction due to traditional CDN and Anti-DDoS mode, plan the best forwarding and back-to-origin route for the user, support multiple ISP lines between operators, reduce delay, further promote the user experience, and realize no-perception scheduling and protection when user’s service is attacked.

  • Accumulation of Deep Experience

    On the basis of security research, security product development and best industrial practices for more than ten years, it is populated among JD Mall, JD Finance and JD Insurance, provide all-process guarantee for promotes as 618, 11.11 and 12.12, providing all-process protection and support to many local governments and E-government affairs cloud, assisting security and guarantee work during key protection period of the 18th/19th National Congress of the Communist Party of China, NPC and CPPCC, the Belt and Road and the meeting of BRICS. With continuous inspection and approval of the market for years, JD has many successful cases in different industries and accumulated a lot of practical experiences and has deep understanding to business scenarios and customer's troubles of different industries, thus being able to provide service scenario-level products and solutions, help the users solve the security problems in the business scenario and promoting the customer’s business competitiveness.

Recommended Products

Web Application Firewall

It can identify and protect malicious features against the website traffic, avoiding malicious web server intrusion and ensuring the core data security of the service.

RMB 336.00/month

Anti-DDoS Pro

Provide value-added protection for users who are subject to high traffic DDoS attacks. The origin server is hidden by replacing the service IP with the Anti-DDoS Pro.

RMB 500.00/month

CDN

Based on high-quality network infrastructure and intelligent cloud computing technology, JD provides the customers with low-cost, high-performance and scalable distribution services of Internet content.

RMB 0.35/GB, if CDN traffic is within 10GB