Can a CDN Really Protect You Against DDoS Attacks?

{authorName}

Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Tuesday, February 2, 2021

A CDN is seen by some as a good way to guard against DDoS attacks. But how do these work, and do they really provide full protection?

Article 5 Minutes
Can a CDN Really Protect You Against DDoS Attacks?

Cyberattacks that knock organizations offline can be a huge threat for any company today. More business than ever is done digitally, so any disruptions can quickly result in serious consequences in terms of both lost revenue and reputational damage.

This is especially important if online channels are your main - or only - way of keeping in touch with customers and driving sales. eCommerce retailers, communications service providers, financial services firms and software providers, to name but a few, all now rely on these channels to remain active.

When these services go offline, the costs can be significant. 40% of firms say a single hour of downtime will cost them between $1 million and $5 million - before any legal consequences are taken into account.

While there can be many causes of downtime, from power disruptions to hardware failure, one of the biggest threats to many businesses comes from a more malicious source - distributed denial of service (DDoS) attacks.

Wake up CIOs. The next-gen of threats has arrived

Devising a multi-layered security plan is key to bolstering your defenses and mitigating risk.

VISIT THE HUB

The threats posed by DDoS attacks

DDoS attacks have been around almost as long as the internet, and have been a major challenge for any network admin ever since. While there are a few different techniques for achieving the desired result, the general principle is to flood a server with more traffic than it's designed to handle - sometimes much more. Indeed, some of the biggest DDoS attacks on record can push more than 2 terabits of data per second to their targets.

The effect of this is that it becomes impossible for legitimate traffic, which will only make up a tiny percentage of the incoming server requests, to get through. For end-users, the result is the service, website or application appears to be offline.

A DDoS attack can hit a network in several locations, including the network layer, the transport layer or the application layer, but the end result is usually the same.

Depending on the length and complexity of the attack, they can range from being a minor nuisance to completely shutting down a firm's operations for an extended period. However, while they can originate from anyone willing to pay a few dollars for a botnet, major attacks are getting larger and more complex.

According to NetScout, there were 4.83 million DDoS attacks recorded in the first half of 2020, a 15% year-on-year increase. However, the number of 'super-sized' attacks has jumped by more than 2,800% since 2017.

How CDNs promise to help

One challenge of DDoS attacks is they can be hard to defend against using traditional methods. It can prove difficult for firms to filter out malicious traffic without affecting legitimate users. In the past, companies have often had no choice but to ride out the attacks.

However, there are now more tools available to counter this threat, and one popular option is the use of a content delivery network (CDN). This works by distributing your traffic to various servers around the world. They have many advantages, such as improving reliability and ensuring geographically diverse customers can enjoy a smooth, fast experience. But they can also provide mitigation against DDoS attacks.

CDNs are designed specifically to handle large amounts of traffic, so if a company experiences a huge increase in requests typical of a DDoS attack, it can respond by redistributing this traffic and ensuring it doesn't reach your origin servers.

This means customers will be able to continue accessing your website as normal and won’t even notice if you're under attack.

However, to achieve this you'll need the right CDN network. Not all providers are alike, so there are a few things you should be looking for to stand the best chance of defending against DDoS attacks.

These include:

  • Dedicated DDoS protection packages: not all CDNs are equipped for this, so make sure you know what your provider's solutions are
  • Global distribution: the wider your network is, the better your chances of defending against an attack
  • Intelligent caching: services that can effectively anticipate your content delivery needs will be better able to respond to attacks quickly
  • Good customer support: DDoS attacks can happen at any time, so if you do have an incident, you need to be able to get help immediately, 24/7

What are the limitations of CDNs as DDoS protection?

It's important to remember that a CDN can't guarantee you 100% protection against every DDoS attack. For instance, they’re more effective at blocking attacks aimed at the transport or network layers, while those targeting the application layer are harder to mitigate against, as you can't rely on your CDN cache to process requests.

Generally, while CDNs can keep your web assets available, they aren't well-equipped to protect firms against non-web services or other types of assets, such as internet connectivity itself.

What's more, Netscout warns that in some cases, CDNs might actually contribute to DDoS attacks by reflecting the attacks towards the customer’s back-end servers. The firm explained that because of its ability to ingest large amounts of traffic that might not exceed the CDN's 'danger threshold', it may flood the customer's infrastructure with unmanageable amounts of queries.

As such, CDNs mustn’t be viewed as a single solution for protecting businesses from the threats posed by DDoS attacks. Instead, they must be treated as just one element of a multi-layered solution that includes dedicated anti-DDoS tools.

Further reading:

 

Tech Insights for Professionals

The latest thought leadership for IT pros

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.

Comments

Join the conversation...