Myths and Truths: How CDNs can protect an Enterprise against DDoS Attacks
A common CDN technique to thwart Layer 7 DDoS is page-caching. Since the CDN is caching content and/or pages for minutes or hours, any type of flood traffic to those pages will be absorbed by the CDN. This blocks the attack from ever making it to the origin web server.
This technique has several drawbacks, however, and an experienced attacker will be able to quickly work around the page-caching countermeasure. For example, attackers typically choose highly valued areas of a website; such as the checkout area, or other dynamic content that cannot be cached from a functional perspective. Even when page caching is used, attackers will quickly work around the countermeasure by using cache-busting techniques. This involves changing URL parameters to add random numbers to queries. The Cache Key is one such area for the CDN, because it is always changing, and thus the CDN has to continually visit the origin web server to fetch the content.
Protection for Origin IPs: CDNs can also act as a shield to ensure that attacks cannot be sent directly to the origin Data Center. This is achieved by knowing in advance what IP addresses the CDN will communicate to the origin from. By having this list, the enterprise can add access rules to their firewall so that only CDN IPs are allowed, and all other IPs are rejected.
While this is a great feature, there are some limitations to consider:
Cost: Shield services offered by some CDNs are fairly expensive. Carefully consider the additional fees associated with this service and weigh the cost against some of the limitations below.
Cloud Firewall Limitations: The list of IP addresses for this type of shield service can be very long, often in the thousands. However, some cloud firewalls, specifically Amazon AWS Security Groups, only allow for a limited set of rules, far below the number of IPs provided by the CDN. If you are using cloud infrastructure to deliver your web application, check into this limitation before purchasing the shield service.
Any non-HTTP(S) ports will not be protected by the shield service as the IP/Port combination will ultimately need to be exposed from the origin Data Center.
As with many countermeasures, the IP Shield does not offer complete protection. Hackers can often get around the shield by simply learning the IP address of the origin. If an enterprise changed their DNS, there are still “traces” of the origin IP out in the wild. For example, a quick search on https://dnshistory.org can reveal DNS records that span multiple years. Once an attacker knows the origin IP, a stateful firewall will not protect those IPs from Layer 3/4 attacks, like: Syn floods, UDP floods, and Amplification Attacks. By attacking the origin directly at a lower level, attackers can succeed in bringing down an enterprise, even when a CDN shield is fully implemented.
“A common CDN technique to thwart Layer 7 DDoS is page-caching”
The good news is, there are methods for protecting an Origin Data Center, with or without a shield service offered by CDNs. There are specialized vendors that offer network DDoS protection services and use internet routing protocols (such as BGP) to route traffic through a DDoS Mitigation Data Center, prior to delivering the traffic to the Origin Data Center. Consider utilizing a Network Layer Protection Service and a specialized Application Layer Protection Service to avoid some of the pitfalls discussed above.
CDNs can be great tools in an overall DDoS protection and security strategy. However, it is important to keep in mind some of the fall-backs we’ve discussed above, as well as ask lots of questions to ensure that the service that you are getting both meets your expectation and is able to effectively protect against sophisticated DDoS attack campaigns.