Can a CDN Really Protect You Against DDoS Attacks?

The threats posed by DDoS attacks

DDoS attacks have been around almost as long as the internet, and have been a major challenge for any network admin ever since. While there are a few different techniques for achieving the desired result, the general principle is to flood a server with more traffic than it's designed to handle - sometimes much more. Indeed, some of the biggest DDoS attacks on record can push more than 2 terabits of data per second to their targets.

The effect of this is that it becomes impossible for legitimate traffic, which will only make up a tiny percentage of the incoming server requests, to get through. For end-users, the result is the service, website or application appears to be offline.

A DDoS attack can hit a network in several locations, including the network layer, the transport layer or the application layer, but the end result is usually the same.

Depending on the length and complexity of the attack, they can range from being a minor nuisance to completely shutting down a firm's operations for an extended period. However, while they can originate from anyone willing to pay a few dollars for a botnet, major attacks are getting larger and more complex.

In the last quarter of 2022, Cloudflare reported a 79% year-on-year increase in DDoS attack traffic, with the number of large attacks (defined as  those with rates of over 100 gigabits per second growing by 67% compared with the previous three-month period and the number of attacks lasting more than three hours rising by 87% quarter-on-quarter. 

Despite this, many businesses still aren't taking these threats seriously enough. Indeed, research by Insights for Professionals found only around one in three IT leaders (35.6%) are prioritizing DDos prevention software as part of their cyber security strategy.  

CDN DDoS explained 

One challenge of DDoS attacks is they can be hard to defend against using traditional methods, as it can prove difficult for firms to filter out malicious traffic without affecting legitimate users. In the past, this meant companies have often had no choice but to ride out the attacks. However, there are now more tools and mitigation services available to counter this threat, and one option is the use of a content delivery network (CDN) with DDoS protections.  

A CDN lets you distribute your traffic load to various servers around the world. It works by caching your web server's content at locations closer to the end user. Therefore, instead of your main web server serving visitors all over the world from a single, centralized location, you have multiple copies of your site available in many places.  

As well as decreasing load times for your site, which is many services' prime function, CDN services help you relieve the pressure that huge traffic volumes place on your network, should you come under attack.  

How CDNs can protect your website against DDoS 

CDNs have many advantages, such as improving reliability and ensuring geographically diverse customers can enjoy a smooth, fast experience. But the security measures they use also provide mitigation against DDoS attacks.  

CDNs are designed specifically to handle large amounts of traffic, so if a company experiences a huge increase in requests typical of a DDoS attack, it can respond by redistributing this traffic, ensuring it doesn't reach your origin servers and render your site offline. 

This means customers will be able to continue accessing your website as normal and won’t even notice if you're under attack. 

However, to achieve this you'll need the right CDN network. 

What core CDN features should you look for? 

Not all providers are alike, so there are a few things you should be looking for to stand the best chance of defending against DDoS attacks. 

These include:

• Dedicated DDoS protection packages: not all CDNs are equipped for this, so make sure you know what your provider's solutions are
• Global distribution: the wider your network is, the better your chances of defending against an attack
• Intelligent caching: services that can effectively anticipate your content delivery needs will be better able to respond to attacks quickly
• Good customer support: DDoS attacks can happen at any time, so if you do have an incident, you need to be able to get help immediately, 24/7
• Customization: The ability to tailor services to the specific needs of your site, such as how they deliver multimedia content, helps ensure you can provide the best experience to visitors. 
• Bot protection: Filtering out non-human users, or bots, is crucial to DDoS protection. While you need to allow some bots - ie. those used by Google to crawl and index information for search results - being able to spot bots and limit how they can interact with the site is vital in guarding against attacks. 
• SSL: Using Secure Sockets Layer (SSL) is vital in demonstrating your site is secure. A good CDN provider should offer a number of options for this, including forcing a session to use a more recent and secure level of SSL. 
• Web application firewall (WAF): To enhance your site's protection, CDNs with their own WAF can identify and block a range of other threats, such as SQL injection. They can also look at outgoing traffic to determine if you're the victim of a data exfiltration attack. 

What are the limitations of CDNs as DDoS protection?

It's important to remember that a CDN can't guarantee you 100% protection against every DDoS attack. For instance, they’re more effective at blocking attacks aimed at the transport or network layers, while those targeting the application layer are harder to mitigate against, as you can't rely on your CDN cache to process requests.

Generally, while CDNs can keep your web assets available, they aren't well-equipped to protect firms against non-web services or other types of assets, such as internet connectivity itself.

What's more, Netscout warns that in some cases, CDNs might actually contribute to DDoS attacks by reflecting the attacks towards the customer’s back-end servers. The firm explained that because of its ability to ingest large amounts of traffic that might not exceed the CDN's 'danger threshold', it may flood the customer's infrastructure with unmanageable amounts of queries.

It's also important to remember that if you’re relying heavily on a single CDN service, you could be exposing your website to a single point of failure should your provider experience its own outage. This was demonstrated clearly in 2021 at Fastly, a CDN provider with customers including Amazon, the BBC, eBay, and the UK government. When a failed software update introduced a domino effect of errors, it resulted in 85% of the network going offline for almost an hour, impacting thousands of websites around the world. 

As such, CDNs mustn’t be viewed as a single solution for protecting businesses from the threats posed by DDoS attacks. Instead, they must be treated as just one element of a multi-layered solution that includes dedicated anti-DDoS tools.

Further reading:

• The Hybrid Workplace is Here. But What are the Potential Security Risks?
• You're Under DDoS Attack. Here are the 4 Signs You Missed
• 5 Protection Techniques to Stop DDoS Attacks