Expert Blog: CDN and DDoS: Do Not Put All the Eggs in the Same Basket

Jouni Viinikka and Frédéric Coiffier

– Expert Blog by Jouni Viinikka and Frédéric Coiffier, working at 6cure –

Content delivery networks (CDNs) have been designed to optimize performance in the distribution of content on the Internet and to optimize bandwidth costs for the content producer in order to meet the growing demands and the rapidly increasing volume of data to be provided. We often hear the argument that protection against DDoS attacks provided by a CDN is THE solution to protect against: let’s see what this argument is based on.

How A CDN Works

In simple terms, a CDN consists of a set of interconnected servers, widely distributed geographically and logically within the Internet network. The CDN uses these distributed servers to hide content from their clients and distribute it to their users. A clever use of routing makes it possible to rely on the ‘caches’ closest to each client, allowing faster delivery of content, and thus avoiding consuming resources – including bandwidth – of the origin server hosting the original content. When a client first requests a resource – an image or a web page – the CDN must search for that content from the origin server to serve the client. However, from that point on, the resource remains ‘cached’ and is distributed within the CDN to serve any new request, by any client, from these caches.

CDNs typically cache static content, which does not change, such as images on a website. However, CDNs cannot or are more limited in their ability to hide dynamic content, such as stock and order information from a sales site. Dynamic content is typically hosted by the original site. The originating site is therefore solicited, not by its users, but by the CDN, on the one hand for static content that has not yet been hidden, and on the other hand for dynamic content, which cannot be hidden.

CDN and Protection Against DDoS Attacks

By its nature, the CDN has mechanisms that can be useful in dealing with distributed denial of service (DDoS) attacks. For example, a CDN often has significant resources in terms of network and server capacity, often allowing it to simply absorb a greater number of requests than the origin server. Furthermore, by using the same distribution and routing mechanisms that allow it to distribute the load of users, distributed attacks will no longer be directed at a single target, but at a distributed target based on the location of each attack source.

The Devil is in the Details

On the other hand, despite these useful layers of protection, the very operation of a CDN can open up new attack vectors or make the defense of the origin server more

difficult. For example, if an attack, using a botnet, requests a web site for non-existent, and therefore uncached resources, it can cause the CDN to repeatedly request the origin server for these resources and cause a denial of service condition for the origin server. In addition, the attack seen by the origin server is no longer distributed, but coming from the CDN! In this situation it can be difficult for the origin server to protect itself because the CDN is both the origin of the attack and the legitimate requests: Simple approaches relying on source blacklisting at the origin server level can no longer be used in this case.

On the other hand, it should not be forgotten that the protections provided by the CDN only cover hidden content. The origin server, as well as more generally, the company to which the site belongs, will probably need functional connectivity. Beyond the origin server, which must be able to provide the dynamic, unhidden content for the CDN, the service may need to interact with other sites, the company may need to be able to send and receive emails, its teams may need to access Voice over IP services or connect to the Internet in general to access cloud services. All this requires that on-site services or at least the company’s Internet access, which cannot be protected by a CDN, continue to operate.

In addition, depending on the CDN, the protections provided may be limited to volumetric-type protections, while more sophisticated application attacks may traverse the CDN and reach the origin site. All in all, the situation is often much more complex than initially imagined.


Firstly, it is important to have a good understanding of how not just your website but your entire business works and to conduct a risk analysis to identify the various threats.

Then, depending on the risks implying the availability and/or quality of service of communications, network services and/or applications, it may be useful to rely on protection functionalities provided by its CDN – potentially more capable for large volume attacks – or to use more ‘On-Premise’ type protections, potentially more precise and capable for application attacks. Often, optimal protection involves a hybrid protection, combining the accuracy and speed of an On-Premise solution with sufficiently high volumetric capabilities offered by a mitigation service provider. In some cases, the CDN may be a suitable component, in other cases you will need a large volumetric protection capacity that can also protect your local site.

About the authors and 6cure

6cure offers solutions to react to computer attacks, particularly adapted to distributed denial of service (DDoS). They enable real-time detection and neutralization of the majority of such malicious attacks targeting the availability of critical services.

Jouni Viinikka is R&D Director and co-founder of 6cure. Frédéric Coiffier is Software Development Engineer at 6cure.

To learn more about 6cure, visit: