Help Center/ Content Delivery Network/ Best Practices/ Preventing Malicious Traffic
Updated on 2025-06-20 GMT+08:00
View PDF
Share

Preventing Malicious Traffic

Attacks and malicious traffic will result in a bill higher than your normal expenditures. This high bill cannot be waived or refunded. To reduce such risks, set defenses and notifications.

Stopping Losses Promptly

If your domain name has been attacked or traffic has been stolen, you can use usage capping and request rate limiting to prevent further losses, analyze attack behavior, and set protection policies.

  1. Set a usage cap for a domain name. When the bandwidth or traffic usage reaches the threshold, CDN will be disabled for the domain name to prevent high bills caused by traffic theft or malicious attacks.
    Figure 1 Adding a usage cap
  2. Limit request rates to control the total bandwidth of all user requests to reduce the risk of sudden spikes in bandwidth use.
    Figure 2 Setting request rate limiting

Analyzing Attack Behaviors

After a domain name is attacked, analyze the attack time and attacker information to harden security configurations.

  1. Determine the attack period by selecting a statistical period and dimension and analyzing high bills. For details about how to export bills, see Bills.
  2. Analyze offline logs in the attack period, check HTTP request information, identify abnormal IP addresses and anti-leeching information, and set protection rules accordingly. For details, see Analyzing Malicious Access Addresses Through Logs.
  3. Download and analyze custom operations reports such as popular URL, popular referer, and popular UA reports. These reports are available if you have customized them for the domain name before an attack. For details, see Operations Reports.

Resolving Issues

  • After analyzing attack behavior, extract the corresponding attack IP addresses, referers, or user agents. Then use CDN's basic access control to filter out these attack sources.
    • Referer validation: Attackers forge the Referer request header to mimic a valid requested source. Set a referer blacklist or whitelist to allow valid referer requests and reject unauthorized third-party websites from accessing your resources.

    • IP blacklist: Add the IP addresses to a blacklist to filter them out.

    • User-Agent blacklist: Attackers forge the User-Agent field to send a large number of requests to bypass security check. The User-Agent field may contain empty or random values. Set a User-Agent blacklist or whitelist to filter out requests with blank user agents.

  • Edge Security (EdgeSec): EdgeSec provides abundant protection functions. Set security rules to protect your domain names.

Follow-Up Protection

Enable Cloud Eye monitoring, report key metrics, and set alarms. If the metric data exceeds the alarm threshold, an alarm is generated, helping you learn about service status in real time and promptly avoid risks.

Cloud Eye monitoring is free of charge on CDN. If you configure alarms on Cloud Eye, SMN will charge you for alarm notifications sent to you. For details about SMN pricing, see SMN Pricing Details.

Limit the IP address frequency to restrict the number of queries per seconds (QPS) for a URL sent from a single IP address to a single PoP. This helps you defend against CC attacks and malicious theft and reduce the risk of high bills.