By Jouni Viinikka, R&D Director at 6cure; Frédéric Coiffier, Software Development Engineer at 6cure
Content delivery networks, the Content Delivery Networks (CDNs) have been designed to optimize performance in terms of content distribution on the Internet and to optimize bandwidth costs for those who produce this content, in order to cope with increasing demands, and a growing volume of data to be supplied. We often hear the argument that the protection against DDoS attacks provided by a CDN is THE solution to protect yourself: Let’s see what this argument is based on.
HOW A CDN WORKS
To simplify, a CDN is made up of a set of interconnected servers, widely distributed geographically and also logically within the mesh of the Internet. CDN uses these distributed servers to hide content from their customers and distribute it to their users. A clever use of routing makes it possible to rely on the “caches” closest to each client, allowing faster delivery of content, and thus avoiding consuming resources – including bandwidth – from the server. origin hosting the original content. When a client first requests a resource – an image or a web page, the CDN must seek that content from the originating server to serve the client. However, from this moment,
CDNs typically hide static, unchanging content, such as images on a website. However, CDNs cannot or are more limited in their ability to hide dynamic content, such as inventory and order information from a sales site. Dynamic content is typically hosted by the original site. The original site is therefore requested, not by its users, but by the CDN, on the one hand for static content not yet hidden and on the other hand for dynamic content, which cannot be hidden.
CDN AND PROTECTION AGAINST DDOS ATTACKS
By its nature, the CDN has mechanisms that can be useful in the face of distributed denial of service attacks. For example, a CDN often has significant resources in terms of network and server capacity, often allowing it to simply handle a larger amount of requests than the original server. In addition, by the same distribution and routing mechanisms that allow it to distribute the load of users, distributed attacks will no longer be aimed at a single target, but at a target distributed according to the location of each attack source. .
“THE DEVIL IS IN THE DETAILS”
However, despite these useful layers of protection, the very operation of a CDN can open new attack vectors or make the defense of the original server more
difficult. For example, if an attack, making use of a botnet, requests a website for non-existent, and therefore non-hidden, resources, this can lead the CDN in turn to request the origin server repeatedly for these resources and cause a denial of service condition for the origin server. In addition, the attack seen by the original server is no longer distributed, but from the CDN! In this situation, it can be difficult for the origin server to protect itself because the CDN is at the same time the origin of the attack and of the legitimate requests: Simple approaches relying on the blacklisting of sources at the server level can no longer be used in this case.
On the other hand, it should not be forgotten that the protections provided by the CDN only cover the hidden content. The original server, and more generally, the company to which the site belongs, will probably need functional connectivity. Beyond the original server which must be able to provide non-hidden and dynamic content for the CDN, the service may need to interact with other sites, the company being able to send and receive emails, its teams to access Voice over IP services or to connect to the Internet in general to access cloud services. All this requires that on-site services or at least the company’s Internet access, which cannot be protected by a CDN, continue to function.
In addition, depending on the CDN, the protections provided may be limited to volumetric type protections, while more sophisticated application attacks may cross the CDN and reach the original site. In sum, the situation is often much more complex than imagined at first.
First, it is important to understand how it works, not just its website, but its business as a whole and to perform a risk analysis to identify the various threats.
Then, depending on the risks involving the availability and / or the quality of service of communications, network services and / or applications, it may be useful to rely on protection functionalities provided by one’s CDN – potentially more capable for large volumetric attacks – or use protections of the “On-Premise” type, potentially more precise and capable for application attacks. Often optimal protection implies hybrid protection, combining the precision and speed of an “On-Premise” solution, with sufficiently high volumetric capacities offered by a mitigation service provider. In some cases CDN may be a suitable component.
Source: 6cure SAS