Low-Cost Hybrid DDoS Defense: Combining Overseas Scrubbing with Domestic CDN

Background

After launching a company project early in the year, we repeatedly suffered DDoS/CC attacks, with a peak of over 140 Gbps, severely degrading user experience. Commercial solutions (e.g., Alibaba Cloud 150 Gbps elastic protection) would cost tens of thousands of RMB per month, which was unaffordable.

To reduce loss and maintain service quality, we evaluated several domestic and overseas high‑defense providers and finally adopted a hybrid approach: overseas scrubbing combined with domestic CDN, achieving protection at a much lower cost.

Glossary

DDoS and CC attacks

DDoS (Distributed Denial‑of‑Service) attacks flood a target with malicious traffic, while CC (Challenge Collapsar) attacks send massive legitimate‑looking requests that exhaust server resources.

High‑defense service vs. traffic cleaning

High‑defense services protect against various attacks (including DDoS and CC), whereas traffic‑cleaning focuses on filtering abnormal traffic and is less effective against CC attacks that appear normal.

An analogy: a tea shop blocked by hired thugs mirrors a DDoS attack, while hiring “yellow‑hands” to queue up legitimate orders mimics a CC attack that overwhelms the server with seemingly valid requests.

Business: Pages and Visitors

Web pages consist of HTML, resources (CSS, JS), and rich media (images, video). Most visitors come from mainland China, with a smaller share from overseas.

Fundamentals: Divide and Conquer

We separated page content from static resources (images, videos) in storage to optimize access and avoid a single point of failure, allowing targeted protection for the most vulnerable component—page content.

Analysis: Attack Characteristics

Log analysis shows that less than half of attack traffic originates from mainland China; the majority comes from Taiwan, the US, Europe, and South America. Attack methods include both DDoS and CC.

Domestic traffic ~40%

Overseas traffic ~60%

Attack types: DDoS, CC

Research: Protection Strategy

Key requirements: high‑defense for page content and high‑bandwidth CDN for static assets (not discussed further).

Smart DNS (e.g., CloudXNS, DNSPod)

Overseas traffic‑scrubbing services (e.g., OVH, Voxility)

Domestic CDN with auto‑origin and per‑IP QPS limits

JinDun firewall for CC filtering

Practice: Implementation

Initially we used a generic high‑defense service with elastic protection, costing about 15,000 RMB per month and experiencing three incidents causing over ten hours of downtime.

We built a hybrid system using the following core tools:

Smart DNS (CloudXNS, DNSPod)

Overseas scrubbing (OVH, Voxility)

Domestic CDN with auto‑origin and QPS limiting

JinDun firewall for CC mitigation

During normal operation, mainland visitors are routed to the domestic CDN, while overseas visitors go to OVH. When attacks exceed CDN thresholds, traffic is redirected to OVH for scrubbing.

OVH handles DDoS well but requires additional measures (JinDun firewall) for CC attacks; larger CC attacks may need more instances or hybrid hardware solutions.

Conclusion

The final hybrid solution costs less than 1,000 RMB per month—far below the ten‑thousand‑RMB monthly cost of pure domestic high‑defense services. It has run stably for four months, with downtime under one hour per month, meeting current protection needs and offering scalable expansion.

Future improvements include horizontal scaling of JinDun instances for larger CC attacks and optimizing mainland access via European neutral data centers with hybrid private‑cloud routing to achieve sub‑200 ms RTT to Shanghai/Beijing and sub‑0.1% packet loss.

Notes

Reference: https://zh.wikipedia.org/wiki/%E9%98%BB%E6%96%B7%E6%9C%8D%E5%8B%99%E6%94%BB%E6%93%8A