Why CDNs Don’t Solve Your DDoS Problem

cdn ddos
Marco Gioanola

A false sense of security is the worst thing that can happen to your business. Large Content Delivery Networks have reached truly global size, the underlying technologies have made it possible to implement “clouds” of services, and the “cloud” now is becoming synonymous with the internet itself. So, your website runs in the cloud, and nobody can crash a cloud, can they? So, you’re secure. DDoS protection: check.

Well, wait a moment, there’s a few more things to consider.

First of all, what about everything else? Your business is a larger machine than just the web front-end delivered by your favorite CDN. For one, all your employees have to access the internet to use a multitude of cloud services themselves: email, file storage, CRM, instant messaging, entire office automation suites now run from some sort of “cloud”. In short, if you can’t access the internet, you can’t work. Your access to the internet is the single most critical asset of your company. Is it protected against DDoS attacks? There’s plenty of examples of how things can go wrong if it’s not. This story from 2016 describes the effects of a DDoS attack against the European Commission’s IT services: “No one could work this afternoon, since the internet was gone twice, for several hours”; surprise holiday courtesy of DDoS. In 2017 trains were delayed in Sweden because the employees of the Transport Administration couldn’t access their monitoring systems and had to fall back to manual processes for managing the country’s rail network. In 2018 not only customers of Danish rail operator DSB couldn’t buy tickets following a DDoS attack, but since email and phone services crashed as well, DSB couldn’t contact staff or customers to provide help.

There’s more. The whole point of using a CDN is to globally replicate and distribute static or dynamic content that is usually created and updated in your origin servers. Origin servers are frequently exposed on the internet, and as such must be protected against direct DDoS attacks. It doesn’t matter how many different paths a river takes to reach the sea: if its source is blocked, water stops flowing. It can even get trickier, though. When a customer tries to access the description of a product that is not yet cached by the CDN, the CDN will have to retrieve it from the origin servers. At NETSCOUT, years ago we assisted customers that were receiving DDoS attacks apparently originated by large CDNs and developed countermeasures to surgically block those attacks without affecting the legitimate conversations between CDN and origin servers. What was happening was that attackers figured out ways to generate traffic that triggered requests towards the origin servers, thus using the CDN as a burning lens to set the origin servers on fire.

This leads to the third and last major point. Most large CDNs today provide some level of “DDoS protection” for the assets directly delivered by the CDN itself, but look closer and what you’ll see is, in most cases, just a set of basic, static filters. Think about physical security: if a guy shows up masked and Uzi in hand it’s quite easy to classify him as a robber, but if he looks like a perfect gentleman with Robert Redford’s face, you might be tricked to let him in. To block UDP floods at a CDN’s edge is the DDoS mitigation equivalent of being able to stop somebody showing up at your house with a tank: useful, but not exactly targeting the most sophisticated attacker. The point here is that attackers are sometimes smarter than the defenders and definitely have the luxury to be able to put more time and effort into figuring out ways to reach their goal, for example by crafting targeted application-layer weapons, than what you can put into building your defenses. So, in order to defend against these smart attackers, you need things that most CDNs won’t provide, for the simple reason that it’s not their job: intelligent and dynamic mitigation countermeasures, comprehensive visibility into what’s being blocked (or passed) and why, and 24/7 access to a team of experts that can help you when the going really gets tough. It’s what we do at NETSCOUT.

For a quick assessment of your current DDoS protection strategy, take this 5-question quiz.