Content Delivery Networks: At Best a Stopgap Measure

December 8, 2014

My first car was a 1983 Mercury Lynx. It was basically a rebadged Ford Escort. Although you had to turn the AC off in order get the car to move, it overall served me well. I did have some issues, but that is to be expected since the car was 7 years old when I first took ownership. One time I was driving home when the car started overheating. It was due to a leak in one of the rubber hoses that fed coolant to the radiator. I noticed it when steam started rising from underneath the hood (the check engine light was always on in that car so it wasn’t a key indicator for me).

I pulled the car into the nearest gas station, and found that there was no coolant left.  It had all leaked out. I was about 10 miles away from home, so I waited 30 minutes, filled the coolant chamber with water, and slowly made my way home. My Dad and replaced the hose and added the coolant. Problem solved. 

I was reminded of this situation when someone recently asked me a question about Content Delivery/Distribution Networks (CDNs). Their question was, “Doesn’t a CDN protect against DDoS attacks?”

It’s a good question. A CDN, based on its design, will allow some DDoS attacks to be absorbed without blocking access to web content and applications. But there are two things to point out:

  1. CDNs have a unique use case:  CDNs were designed to provide localized availability of web content to the end user. They were used to ensure that access to this content was fast and always available. They were not designed as a security solution, and most certainly not designed to protect against DDoS attacks, especially the Layer 7 and advanced threat attacks;
  2. CDNs offer no value for security: Although a CDN fortuitously can absorb volumetric attacks, it is not a security solution. It does not offer advance protection capabilities, or provide active intelligence to define and understand the attack, let alone learn from it. A CDN does not take into consideration that the DDoS attack oftentimes is just a smokescreen for a much larger threat that could migrate its way to your network.

A content delivery/distribution network is not a solution to DDoS attacks. Nor was filling up my coolant chamber with water. Although adding water provided me the capability to get my car home safely, it was a stop-gap measure. CDNs are similar in that they can provide some protection from a DDoS attack, but it is not a defense strategy. It may prevent certain types of attacks from denying access to services, but it does not prevent from all DDoS attack types, nor does it prevent future attacks. 

Relying on a CDN to protect you from a DDoS attack is an awfully risky defense. You should consider a multi-layered and integrated approach to DDoS protection. If not, you may find yourself stranded on the “side of the road.”


Previous Article
A Q&A with Sam Curry
A Q&A with Sam Curry

Enjoy this audio podcast interview with the Chief Technology and Security...

Next Article
Cloud Services and the Threat to Availability – Storms On the Horizon

Today’s DDoS threats are both complex and highly sophisticated. They target...