|By Darren Anstee||
|September 28, 2016 02:30 PM EDT||
Does a Content Delivery Network (CDN) protect against Distributed Denial of Service (DDoS) attacks? It's a good question. A CDN by its very nature will absorb DDoS attacks for the content that it serves and this could be considered protection but, as is often the case, this is only the beginning of the story.
If we consider what is actually going on here, the CDN isn't actually ‘blocking' the DDoS attack - it is simply reducing its impact by throwing more resources at the problem. This means that the size of the DDoS attack a CDN can deal with is inherently dependent on the size of the CDNs infrastructure, which for some of the market-leading players means that pretty much any current attack targeting CDN served content can be ‘absorbed.'
This sounds great - DDoS Problem Solved - but there a couple of big caveats here.
First, many CDN providers charge based on the amount of traffic they process and content they serve. If the CDN solution to DDoS is simply to ‘absorb' it then that traffic can be chargeable - so the ‘cost' of an attack for a CDN customer isn't predictable and unexpected (large) bills can be the result.
The second and perhaps most significant problem is the risk that the attacker can bypass the CDN, or proxy through it, to target the customer's origin server.
If the attacker can find out the IP address of the origin server used to provide dynamic content, account information, etc., then he can bypass the CDN. There are techniques that effectively use the CDN as the proxy for a DDoS attack towards a customer's origin servers. Unfortunately, both of these techniques are used in the wild, and many commercial ‘DDoS for Hire' services advertise their ability to circumvent CDNs.
The answer is layered DDoS protection. This involves the use of a cloud-based DDoS protection service to deal with high magnitude attacks, plus an on premise component to deal proactively with all attacks, including the stealthier, more sophisticated application layer attack vectors. Both of these layers are designed to ‘block' attack traffic, so that only good traffic is processed - this differs from the way most CDNs ‘absorb' DDoS attacks.
If attack traffic is blocked then it can longer consume resources on application / service infrastructure, and most good DDoS mitigation services charge based on the amount of clean traffic delivered to the end-customer (not the ‘unknown' amount of attack traffic) - this makes the cost model far more predictable and palatable to the CFO.
A content delivery/distribution network is not a solution to DDoS attacks. CDNs can reduce the impact of a DDoS attack targeting CDN served content, but they do not represent a comprehensive defensive strategy. CDNs may prevent some attacks from succeeding - but not all.
Relying on a CDN to protect your organization from a DDoS attack is very risky, in the same way as being reliant on an umbrella to keep you 100% dry in heavy rain. The umbrella will provide protection from rain as it falls, but not from being splashed by a passing bus. Organizations should consider the best-practice of layered DDoS defense, possibly alongside a CDN if required, to effectively protect against DDoS threats.
Sep. 28, 2016 04:15 PM EDT Reads: 2,415
Sep. 28, 2016 04:15 PM EDT Reads: 1,850
Sep. 28, 2016 04:15 PM EDT Reads: 1,459
Sep. 28, 2016 04:00 PM EDT Reads: 1,478
Sep. 28, 2016 03:15 PM EDT Reads: 1,302
Sep. 28, 2016 03:15 PM EDT Reads: 4,133
Sep. 28, 2016 03:15 PM EDT Reads: 334
Sep. 28, 2016 03:00 PM EDT Reads: 3,862
Sep. 28, 2016 02:45 PM EDT Reads: 1,737
Sep. 28, 2016 02:30 PM EDT Reads: 3,309
Sep. 28, 2016 02:30 PM EDT Reads: 2,922
Sep. 28, 2016 02:00 PM EDT Reads: 4,419
Sep. 28, 2016 02:00 PM EDT Reads: 4,773
Sep. 28, 2016 01:57 PM EDT Reads: 238
According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
Sep. 28, 2016 01:23 PM EDT Reads: 255