Ways to protect your CDN origin server

As a serious web-site developer, you can’t afford downtime: pages and services should be available 24/7/365. That means that you should always be on the guard and ready to prevent DDoS attacks and other attempts to disrupt your site.

The most common type of attacks involves sending too many external requests to the machine so that it could not respond to the legitimate requests, or worked too slowly and was almost unavailable for a usual visitor.

CDN (Content Delivery Network) helps to prevent DDoS attacks. CDN network consists of numerous high-capacity servers that balance load and handle much more traffic than a single hosting server. Besides, CDN services include special DDoS protection and well experienced staff who can handle it. However, every CDN solution stands behind user’s own server that is typically called CDN origin. It is used to upload content and deliver it to edge servers. If the attackers manage to get the origin server, they may destroy the functionality of the entire CDN network. As the result, content would not be loaded anymore, and your end-users won’t be able to get it: the site is broken.

There are three options for protection of CDN origin server, and they base upon one simple idea: you need to allow and receive requests coming from CDN only. All other external requests should be prevented.

Limitation of IP rate

IP rate limiting allows getting only some certain amount of requests from an IP address within a stated period. However, this may not work with CDN service, because content delivery network has a lot of valid requests from a few IP addresses, and all of them should go through.

Whitelisting

Consider whitelisting CDN: theoretically, it may work. IP addresses or some unique identifiers can be included in a request header. This option is helpful, but difficult. The thing is that when whitelisting IP addresses, you should take into consideration IPs of all CDN edge servers that may need the access to the origin. This may lead to failures. Some CDN companies will not give you the list of server IPs, but even if they share this information, there is always risk that some addresses are missing. If a new IP address is added, they may simply forget to tell you.

Try whitelisting a unique identifier in a request header. In this case, CDN servers will include some unique info in the requests sent to the origin. This info can be used on the origin to identify CDN and let the requests pass. You can ask your CDN provider about such possibility. This method is wise, but not 100% reliable. Request headers can be specified by hackers. If an attacker know what CDN service you use, he may be aware of CDN identifications and may easily use spoof them.

A complicated origin hostname

This is a simple and yet effective solution. Create a random set of numbers and use them as the subdomain (for instance, 4926ostnla82850.site.com). Only CDN network, owner of the origin server and its DNS provider will know this hostname. The chance that it may leak or can be guessed is pretty low. Whitelist the requests with such hostname in the host header, and you will be safe and sound.