Welcome!

Cloud Security Authors: Elizabeth White, Zakia Bouachraoui, Liz McMillan, Pat Romanski, Yeshim Deniz

Related Topics: Cloud Security, Agile Computing, @CloudExpo

Cloud Security: Article

Does a CDN Protect Against DDoS Attacks? | @CloudExpo #Cloud #Security

A CDN by its very nature will absorb DDoS attacks for the content that it serves and this could be considered protection

Does a Content Delivery Network (CDN) protect against Distributed Denial of Service (DDoS) attacks? It's a good question. A CDN by its very nature will absorb DDoS attacks for the content that it serves and this could be considered protection but, as is often the case, this is only the beginning of the story.

If we consider what is actually going on here, the CDN isn't actually ‘blocking' the DDoS attack - it is simply reducing its impact by throwing more resources at the problem. This means that the size of the DDoS attack a CDN can deal with is inherently dependent on the size of the CDNs infrastructure, which for some of the market-leading players means that pretty much any current attack targeting CDN served content can be ‘absorbed.'

This sounds great - DDoS Problem Solved - but there a couple of big caveats here.

First, many CDN providers charge based on the amount of traffic they process and content they serve. If the CDN solution to DDoS is simply to ‘absorb' it then that traffic can be chargeable - so the ‘cost' of an attack for a CDN customer isn't predictable and unexpected (large) bills can be the result.

The second and perhaps most significant problem is the risk that the attacker can bypass the CDN, or proxy through it, to target the customer's origin server.

If the attacker can find out the IP address of the origin server used to provide dynamic content, account information, etc., then he can bypass the CDN. There are techniques that effectively use the CDN as the proxy for a DDoS attack towards a customer's origin servers. Unfortunately, both of these techniques are used in the wild, and many commercial ‘DDoS for Hire' services advertise their ability to circumvent CDNs.

The answer is layered DDoS protection. This involves the use of a cloud-based DDoS protection service to deal with high magnitude attacks, plus an on premise component to deal proactively with all attacks, including the stealthier, more sophisticated application layer attack vectors. Both of these layers are designed to ‘block' attack traffic, so that only good traffic is processed - this differs from the way most CDNs ‘absorb' DDoS attacks.

If attack traffic is blocked then it can longer consume resources on application / service infrastructure, and most good DDoS mitigation services charge based on the amount of clean traffic delivered to the end-customer (not the ‘unknown' amount of attack traffic) - this makes the cost model far more predictable and palatable to the CFO.

Conclusion
A content delivery/distribution network is not a solution to DDoS attacks. CDNs can reduce the impact of a DDoS attack targeting CDN served content, but they do not represent a comprehensive defensive strategy. CDNs may prevent some attacks from succeeding - but not all.

Relying on a CDN to protect your organization from a DDoS attack is very risky, in the same way as being reliant on an umbrella to keep you 100% dry in heavy rain. The umbrella will provide protection from rain as it falls, but not from being splashed by a passing bus. Organizations should consider the best-practice of layered DDoS defense, possibly alongside a CDN if required, to effectively protect against DDoS threats.

More Stories By Darren Anstee

Darren Anstee, Chief Technology Officer at Arbor Networks, has 20 years of experience in pre-sales, consultancy and support for telecom and security solutions. In his position, he works across the research, strategy and pre-sales aspects of Arbor’s traffic monitoring, threat detection and mitigation solutions for service providers and enterprises around the world. Prior to joining Arbor, he spent over eight years working in both pre- and post-sales for core routing and switching product vendors. Follow Darren Anstee on Twitter ‏@cadernid

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. The IoT Global Network is a platform where you can connect with industry experts and network across the IoT community to build the successful IoT business of the future.
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear these words all day every day... lofty goals but how do we make it real? Add to that, that simply put, people don't like change. But what if we could implement and utilize these enterprise tools in a fast and "Non-Disruptive" way, enabling us to glean insights about our business, identify and reduce exposure, risk and liability, and secure business continuity?
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...