Dan Ennis CEO

shutterstock_225754741

There are approximately 2.8 million websites worldwide using Content Delivery Networks (CDNs) with the goal of improving website response time, loading time and overall user experience. If you or your company are managing a website chances are that it is served by a CDN.

CDN providers position their product as such, that doubles as a DDoS mitigation solution and an overall  website security umbrella, however this is far from being true. We’d like to look into some of the  common myths of CDN security in our post.

1. CDNs are secure and especially effective in mitigating DDoS Attacks

CDNs use surrogate servers located in geographically dispersed data centers over different regions. It seems natural that this approach would contain DDoS attacks. For instance, a CDN can absorb DDoS attack types by virtue of extended bandwidth without affecting content availability. The overload caused by a DDoS attack is combatted on local network edge servers, which helps preventing server saturation – right?

This might have been true in the past. Nowadays, the complexity and sophistication of DDoS attacks have neutralized any value that the CDN may have offered by the scattered network infrastructure. DDoS attacks can now cripple a site no matter what type of CDN hosting is involved…

CDN providers also claim to block web threats and limit abusive BOTs and crawlers from wasting bandwidth and server resources, resulting in decreased spam and hack attacks.  However – this depends on a CDN service provider constantly updating their defenses against invasive activities. Allocating the necessary assets and keeping security tools continuously updated places a heavy financial and operational burden on companies so in reality this is impractical.

2. CDNs Perform Seamlessly During a Cyber Attack

CDNs reliability and availability relies on posting an up-to-date cached version of a website as soon as the original server-based site is compromised. Can website owners continue conducting business during an attack? What happens to commercial processes when an attack begins. Can they be recovered?

Most CDNs only host static resources such as images, videos, audio clips, CSS files and JavaScript. The range of free CDNs aimed at small businesses will only provide a copy of the most popular pages of a website when a server goes offline, and not the whole website structure. This is a far from satisfactory situation for medium and large organizations that must maintain ongoing business practices.

Even if a website is properly cached on a timely basis, hackers can easily work around this defense. For example:

  1. A hacker issues a request that was not in a CDN’s cache, or launches an enumeration DDoS attack
  2. A hacker issues an expired content request (setting the cache headers to “renew”)

In both cases the requests will be forwarded to the origin server and the cached content is rendered useless.

In general, CDNs are time-limited with regards to data storage which means that cached pages can potentially be lost, making it all the more difficult to create an accurate replica of the site for an attack scenario.

3. All your content is securely served by the CDN

CDNs can successfully cache static resources such as images, videos, audio clips, CSS files and JavaScripts. Unfortunately, dynamically generated, rapidly changing pages as well as personalized pages cannot be cached and are delivered from the origin server. Therefore, dynamic web content is fully exposed to advanced DDoS attacks.  In a broader perspective, any private or dynamic content is at risk when using a CDN.

Conclusion

I love CDNs – some of my best friends are using them and enjoying their benefits. However, I have found that CDN users mistakely feel fully protected. Security admins should be aware that using a CDN does not replace a proper – multi-layered website security solution.

 

blog-post-logo