Protecting a Content Delivery Network (CDN) from Cyber Attacks
A Content Delivery Network or CDN is a system of distributed servers and nodes that delivers web content to a user, based on the geographical location of the user, the origin of the webpage and the content delivery service. The purpose of the CDN is to avoid bottle necks that would occur if every user tried to access content from one central location, the CDN replicates and redirects content so it is available to many users all at once. Ultimately improving user experience across multiple geographical locations (i.e. not just to those users who are physically closest to the server with the original content) and easing pressure on network infrastructure resources.
CDN servers and nodes are usually deployed in multiple locations, often over multiple backbones, generating huge amounts of network traffic. The network topology of a CDN is set up this way to reduce bandwidth costs, improve page load times and increase global availability of content. The number of nodes and servers making up a CDN varies, depending on the architecture, large deployments could be made up of thousands of nodes with ten thousands of servers on many remote points of presence (PoPs).
As with any network in today’s world of always on, available anywhere streaming services and IoT, CDN’s are susceptible to cyber-attacks. A CDN providers reputation lives and dies on maintaining user experience; slow load times and diminished application performance is the absolute worst case scenario in terms of brand reputation, especially in an age of social media where network problems can go viral within minutes of an issue occurring.
The dominant type of attack facing a CDN is the Distributed Denial of Service (DDoS) attack, which could range from Dynamic Content, SSL- based to Direct IP Attacks. A Dynamic Content attack for instance occurs when hackers take advantage of the dynamic content requests process. Requests for dynamic content are sent to the origin server, attackers hijack this function and generate attack traffic that contains random parameters in the HTTP GET requests because CDN servers immediately redirect this attack traffic to the origin, expecting the origin’s server to handle the requests. But, in many cases, the origin’s servers do not have the capacity to handle all those attack requests, blocking the request pathway to legitimate users, creating a DoS.
SSL-based DDoS attacks seek to target secured online services of a potential victim. This type of attack is easy to launch and difficult to mitigate, meaning a SOC team will see them often in their networks. In order to detect and mitigate DDoS SSL attacks, CDN servers must first decrypt the traffic using their customer’s SSL keys. If the customer is not willing to provide the SSL keys to its CDN provider, then the SSL attack traffic is redirected to the customer’s origin, leaving the customer vulnerable to SSL attacks. SSL attacks that hit the customer’s origin server can easily take down the secured online service.
A Direct IP attack targets applications that are serviced by a CDN, by launching an attack on the IP address of the web servers at the customers origin. This is often a network based flood attack such as an UDP or ICMP flood that will not be routed through CDN services, directly hitting the servers of it’s customer at the origin. Volumetric network attacks can saturate the internet pipe, resulting in taking down of all the applications and the online services of the origin, including the ones that are served by the CDN. Often misconfiguration of “shielding” in the data centre can leave applications directly vulnerable to attack.
Large scale CDN operators offer DDoS mitigation and prevention as a service, thus ensuring the delivery of their customer’s content. So, how are they able to detect this type of attack and others? When researching a cyber security strategy in this space, real time flow monitoring for total network visibility is once again key to understanding traffic patterns, spotting anomalies and blocking threats in your network. Another factor to consider is alert fatigue, system analysts can become overwhelmed by irrelevant alerts, however you can only determine relevancy if you have the right analysis tools that can calculate the severity of the attack and then group in to silos to either be kept for further analysis or dropped i.e. video traffic for example (lots of it but generally safe).
A flow record, whether analysing the header information or the amount of packets arriving at a server or node can provide a treasure trove of information for System Analysts. However, analysing this detail in real-time and at carrier scale is difficult but companies like Telesoft have made it their business to do this by providing scalable security monitoring and network behavioural analysis, contact to us to find out how our solutions can build in to your cyber security strategy.