All too often, organizations small and large fall victim to the false notion that having a Content Delivery Network (CDN) that provides web optimization services, is also the ideal place to protect from DDoS threats. While CDNs often have excess capacity that can be used for attack absorption, they generally are not set up to effectively protect their customer’s infrastructure, data centers or even applications. Here’s why:
First, CDNs generally cache and serve up static content elements, the pages or parts of a page that change infrequently and are not user-specific. Transactional websites have quite a bit of static content elements, but also rely heavily on dynamic content that changes based on users, user input, or otherwise changes with great frequency. Attackers have become adept at creating tools and launching dynamic DDoS attacks that contain traffic with random parameters (for example, in the HTTP GET requests) that are immediately redirected to the customer’s origin server, and which typically do not have the capacity to handle these attacks as they scale.
Although CDNs can reduce the load on origin servers for legitimate users, the origin servers still need to be connected to the network are vulnerable to attack if their source IP address is discovered. There are a number of ways an attacker can discover the source IP address of the origin servers and circumvent the protections put in place by the CDN. At a recent Black Hat security conference, researchers demonstrated how easy it is to bypass CDN security. One of the attacks demonstrated that by simply uploading an avatar to a forum one could unmask the IP of the origin servers. Another DDoS attack showed how a fake DCMA takedown – when content is removed from a website at the request of the content owner – could force the ISP or cloud provider to unmask the origin server.
Content Delivery Networks have become an important part of delivering an optimized user experience for websites. However, the temptation of relying on CDN providers to also provide security because “it’s easy” or because they are already in the flow of traffic, is highly risky. True security measures require the right technology deployed in the right architecture to protect from today’s sophisticated DDoS cyber attacker.