Ways to protect your CDN origin server

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

As a serious web-site developer, you can’t afford downtime: pages and services should be available 24/7/365. That means that you should always be on the guard and ready to prevent DDoS attacks and other attempts to disrupt your site.

The most common type of attacks involves sending too many external requests to the machine so that it could not respond to the legitimate requests, or worked too slowly and was almost unavailable for a usual visitor.

CDN (Content Delivery Network) helps to prevent DDoS attacks. CDN network consists of numerous high-capacity servers that balance load and handle much more traffic than a single hosting server. Besides, CDN services include special DDoS protection and well experienced staff who can handle it. However, every CDN solution stands behind user’s own server that is typically called CDN origin. It is used to upload content and deliver it to edge servers. If the attackers manage to get the origin server, they may destroy the functionality of the entire CDN network. As the result, content would not be loaded anymore, and your end-users won’t be able to get it: the site is broken.

There are three options for protection of CDN origin server, and they base upon one simple idea: you need to allow and receive requests coming from CDN only. All other external requests should be prevented.

Limitation of IP rate

IP rate limiting allows getting only some certain amount of requests from an IP address within a stated period. However, this may not work with CDN service, because content delivery network has a lot of valid requests from a few IP addresses, and all of them should go through.


Consider whitelisting CDN: theoretically, it may work. IP addresses or some unique identifiers can be included in a request header. This option is helpful, but difficult. The thing is that when whitelisting IP addresses, you should take into consideration IPs of all CDN edge servers that may need the access to the origin. This may lead to failures. Some CDN companies will not give you the list of server IPs, but even if they share this information, there is always risk that some addresses are missing. If a new IP address is added, they may simply forget to tell you.

Try whitelisting a unique identifier in a request header. In this case, CDN servers will include some unique info in the requests sent to the origin. This info can be used on the origin to identify CDN and let the requests pass. You can ask your CDN provider about such possibility. This method is wise, but not 100% reliable. Request headers can be specified by hackers. If an attacker know what CDN service you use, he may be aware of CDN identifications and may easily use spoof them.

A complicated origin hostname

This is a simple and yet effective solution. Create a random set of numbers and use them as the subdomain (for instance, 4926ostnla82850.site.com). Only CDN network, owner of the origin server and its DNS provider will know this hostname. The chance that it may leak or can be guessed is pretty low. Whitelist the requests with such hostname in the host header, and you will be safe and sound.

Vadim Kolchev

52 publications

Vadim has graduated from Moscow Institute of Entrepreneurship and Law as finance and credit specialist. Prior to starting to work in hosting business directly, he occupied various roles in several companies, including but not limited to banking sphere and sports. As of 2015 he works for INXY Holding, with SpaceCDN being a vital part of the hosting branch of its business. Being tech enthusiast, he has started writing articles about dedicated servers, CDN, storage solutions and other hosting services long ago, and since then accumulated a lot of experience and knowledge in the field. Building hosting sales and support departments from scratch has added even more experience and knowledge and allowed to see the business from the inside and build required expertise. Now Vadim is CPO and COO of a successful hosting business. Having several important interviews and publications at platforms such as Hosting Journalist and Forbes, he continues to share knowledge about this branch of technology that has become not only his job but also a passion.

Learn more about us
in social networks