Three months ago, during preparations for a leadership inspection of our WebGIS dashboard project (arguably its most critical application), our project manager urgently contacted me the night before: "XXX, emergency! The basemap's peripheral elements on the GIS dashboard have disappeared—only data remains visible!"

Reluctantly accessing the system, I discovered the dynamic visualizations had vanished. Console errors revealed resource loading failures traced to our CDN service. Checking my personal CDN account (used due to small company scale), I found payment overdue—promptly recharging 200 CNY.

A month later, while debugging new features, CDN errors recurred. Initially attributing this to post-exhibition traffic spikes (even boasting about "high system usage" to my manager), I recharged another 200 CNY.

When another billing alert arrived just weeks later—despite the exhibition ending months prior—abnormal traffic patterns became undeniable.

Initial Investigation

Qiniu Cloud's backend revealed alarming patterns:

  • Jiangsu region consumed nearly 5GB in under 24 hours
  • Traffic concentrated on large image resources
  • Few IP addresses generated disproportionate traffic

Conclusion: Malicious traffic flooding attack.

Countermeasures

Qiniu Cloud's support team (noted for arrogant communication style) offered limited solutions:

  1. Referer Anti-Leeching: Easily bypassed, ineffective
  2. Timestamp Anti-Leeching: Validates request timestamps via cryptographic signatures—recommended
  3. Origin Authentication: Requires custom WAF development—powerful but resource-intensive
  4. IP Blacklisting: Immediate but reactive (damage occurs before blocking)
  5. UA Blacklisting: Easily spoofed, ineffective

Implemented Solutions

Technical Measures

  1. IP Blacklisting: Blocked /16 and /24 CIDR ranges of malicious IP clusters (e.g., 192.168.0.0/16)
  2. Enabled Timestamp Anti-Leeching: Minimal implementation effort
  3. Deployed Origin Authentication: Collaborated with IT to integrate commercial WAF

Business Adjustments

  • Migrated all buckets to Alibaba Cloud due to:

    • Qiniu's inadequate traffic management (no bandwidth throttling/alerting)
    • Platform's indifference to client financial risk
    • Technical limitations in attack mitigation

Legal Actions

  1. Reported to Shanghai 12345 Citizen Hotline:

    • Company: Shanghai Qiniu Information Technology Co., Ltd.
    • Address: 66 Boxia Road, Pudong, Shanghai
      (Successfully secured partial refund)
  2. Filed complaints with ISPs and local police using access logs

Unresolved Questions

Despite reducing attacks, the motivation remains unclear:

  • Ruled out Qiniu's involvement (despite their shortcomings)
  • Unlikely PCDN traffic balancing (our small scale offers negligible value)
  • Personal grudge theory possible but unconfirmed

If any content offended parties capable of orchestrating such attacks: My monthly WeChat advertising revenue barely reaches 200 CNY. I sincerely apologize and request cessation of these costly operations.