Check out all of our upcoming events


Latest cybersecurity news, insights and commentary by Telesoft engineers and specialists

Protecting a Content Delivery Network (CDN) from Cyber Attacks

Written by Sarah Chandley on Thursday, 22 November 2018. Posted in Cyber

A Content Delivery Network or CDN is a system of distributed servers and nodes that delivers web content to a user, based on the geographical location of the user, the origin of the webpage and the content delivery service. The purpose of the CDN is to avoid bottle necks that would occur if every user tried to access content from one central location, the CDN replicates and redirects content so it is available to many users all at once. Ultimately improving user experience across multiple geographical locations (i.e. not just to those users who are physically closest to the server with the original content) and easing pressure on network infrastructure resources.

CDN servers and nodes are usually deployed in multiple locations, often over multiple backbones, generating huge amounts of network traffic. The network topology of a CDN is set up this way to reduce bandwidth costs, improve page load times and increase global availability of content. The number of nodes and servers making up a CDN varies, depending on the architecture, large deployments could be made up of thousands of nodes with ten thousands of servers on many remote points of presence (PoPs).

As with any network in today’s world of always on, available anywhere streaming services and IoT, CDN’s are susceptible to cyber-attacks. A CDN providers reputation lives and dies on maintaining user experience; slow load times and diminished application performance is the absolute worst case scenario in terms of brand reputation, especially in an age of social media where network problems can go viral within minutes of an issue occurring.

The dominant type of attack facing a CDN is the Distributed Denial of Service (DDoS) attack, which could range from Dynamic Content, SSL- based to Direct IP Attacks. A Dynamic Content attack for instance occurs when hackers take advantage of the dynamic content requests process. Requests for dynamic content are sent to the origin server, attackers hijack this function and generate attack traffic that contains random parameters in the HTTP GET requests because CDN servers immediately redirect this attack traffic to the origin, expecting the origin’s server to handle the requests. But, in many cases, the origin’s servers do not have the capacity to handle all those attack requests, blocking the request pathway to legitimate users, creating a DoS.

SSL-based DDoS attacks seek to target secured online services of a potential victim. This type of attack is easy to launch and difficult to mitigate, meaning a SOC team will see them often in their networks. In order to detect and mitigate DDoS SSL attacks, CDN servers must first decrypt the traffic using their customer’s SSL keys. If the customer is not willing to provide the SSL keys to its CDN provider, then the SSL attack traffic is redirected to the customer’s origin, leaving the customer vulnerable to SSL attacks. SSL attacks that hit the customer’s origin server can easily take down the secured online service. 

A Direct IP attack targets applications that are serviced by a CDN, by launching an attack on the IP address of the web servers at the customers origin. This is often a network based flood attack such as an UDP or ICMP flood that will not be routed through CDN services, directly hitting the servers of it’s customer at the origin. Volumetric network attacks can saturate the internet pipe, resulting in taking down of all the applications and the online services of the origin, including the ones that are served by the CDN. Often misconfiguration of “shielding” in the data centre can leave applications directly vulnerable to attack.

Large scale CDN operators offer DDoS mitigation and prevention as a service, thus ensuring the delivery of their customer’s content. So, how are they able to detect this type of attack and others? When researching a cyber security strategy in this space, real time flow monitoring for total network visibility is once again key to understanding traffic patterns, spotting anomalies and blocking threats in your network. Another factor to consider is alert fatigue, system analysts can become overwhelmed by irrelevant alerts, however you can only determine relevancy if you have the right analysis tools that can calculate the severity of the attack and then group in to silos to either be kept for further analysis or dropped i.e. video traffic for example (lots of it but generally safe).

A flow record, whether analysing the header information or the amount of packets arriving at a server or node can provide a treasure trove of information for System Analysts. However, analysing this detail in real-time and at carrier scale is difficult but companies like Telesoft have made it their business to do this by providing scalable security monitoring and network behavioural analysis, contact to us to find out how our solutions can build in to your cyber security strategy.

About the Author

Sarah Chandley

Sarah Chandley

Sarah is an experienced B2B technology marketing professional, creating content for the Cyber Security, Telco and Government Infrastructure sectors. 

Information cookies

Cookies are short reports that are sent and stored on the hard drive of the user's computer through your browser when it connects to a web. Cookies can be used to collect and store user data while connected to provide you the requested services and sometimes tend not to keep. Cookies can be themselves or others.

There are several types of cookies:

  • Technical cookies that facilitate user navigation and use of the various options or services offered by the web as identify the session, allow access to certain areas, facilitate orders, purchases, filling out forms, registration, security, facilitating functionalities (videos, social networks, etc..).
  • Customization cookies that allow users to access services according to their preferences (language, browser, configuration, etc..).
  • Analytical cookies which allow anonymous analysis of the behavior of web users and allow to measure user activity and develop navigation profiles in order to improve the websites.

So when you access our website, in compliance with Article 22 of Law 34/2002 of the Information Society Services, in the analytical cookies treatment, we have requested your consent to their use. All of this is to improve our services. We use Google Analytics to collect anonymous statistical information such as the number of visitors to our site. Cookies added by Google Analytics are governed by the privacy policies of Google Analytics. If you want you can disable cookies from Google Analytics.

However, please note that you can enable or disable cookies by following the instructions of your browser.