Currently, CDN security is far from enough

Today, many businesses realize that DDoS defense is critical to maintaining an exceptional customer experience. Why? Because cyberattacks affect loading time or end-user experience far more than any other factor, and they are silent killers of application performance.

As a distributor of highly available and high-performance content to end users, CDNs are key to the customer experience. However, new vulnerabilities in CDN networks have also made many people wonder whether CDNs themselves are vulnerable to various attacks, such as loop attacks.

So what types of attacks are CDNs vulnerable to? Here are five major threats that can compromise CDNs and that businesses must guard against.

Blind spot 1: Dynamic content attacks

Attackers have learned that a major blind spot in CDN services is the processing of dynamic content requests. Since dynamic content is not stored in the CDN server, all dynamic content requests are sent to the origin server. Attackers can take advantage of this behavior and generate attack traffic containing random parameters in HTTP GET requests. The CDN server can immediately redirect this attack traffic to the origin server for request processing. However, in many cases, the origin server cannot handle all attack requests and cannot provide online services to legitimate users, so a denial of service occurs.

Many CDNs have the ability to limit the number of dynamic requests sent to a server under attack. This means that they cannot distinguish between attackers and legitimate users, and rate limiting will also block legitimate users.

Blind spot 2: SSL-based attacks

SSL-based DDoS attacks target secure online services. These attacks are easy to launch but difficult to mitigate, making them a favorite of attackers. In order to detect and mitigate DDoS SSL attacks, CDN servers must first decrypt the traffic using the customer's SSL key. If the customer is unwilling to provide the CDN provider with the SSL key, the SSL attack traffic is redirected to the customer's origin server, making the customer vulnerable to SSL attacks. An SSL attack that hits the customer's origin server can easily bring down a secure online service.

In DDoS attacks involving WAF technology, CDN networks also have a significant disadvantage in terms of scalable performance of SSL connections per second and may experience serious latency issues.

PCI and other security compliances are also an issue, sometimes limiting a data center's ability to serve customers, as not all CDNs have PCI compliance across all data centers. This can again increase latency and cause audit issues.

Blind spot 3: Attacks on non-CDN services

CDN services are typically only provided to HTTP/S and DNS applications. Other online services and applications in customer data centers, such as VoIP, email, FTP, and proprietary protocols, are not provided by CDNs, so traffic to these applications is not sent through CDNs. In addition, many web applications are not served by CDNs. Attackers are taking advantage of this blind spot to launch attacks against applications that do not pass through CDNs and use large-scale attacks on customer origin servers that can clog the customer's Internet pipe. Once the Internet pipe is blocked, all applications in the customer's origin server are unavailable to legitimate users, including applications served by CDNs.

Blind spot 4: Direct IP attacks

Once an attacker launches a direct attack against the IP address of a customer's origin web server, even applications served by CDNs will be attacked. These attacks may be network floods such as UDP floods or ICMP floods that are not transmitted through the CDN service and will directly hit the customer's origin server. Such large-volume network attacks can clog the Internet pipeline and shut down all applications and online services in the origin server, including those served by CDNs. Often, misconfiguration of data center "protection" can make applications directly vulnerable to attacks.

Blind spot 5: Web application attacks

CDN protections against web application threats offer limited protection, exposing customer web applications to data breaches, data theft, and other common web application threats. Most CDN-based web application firewalls also have limited functionality, working with only a basic set of predefined signatures and rules. Many CDN-based WAFs cannot read HTTP parameters and do not create proactive security rules, thus failing to protect against zero-day attacks and known threats. For enterprises that provide optimizations for web applications in their WAFs, the cost of achieving this level of protection is also quite high.

In addition to the major blind spots previously identified, most CDN security services are not sensitive enough, so it may take hours of manual deployment to cover all network servers with security configurations. Security services are using outdated technologies such as rate limiting, which has been proven to be ineffective in the last attack campaign, and lack network text analysis, challenge-response mechanisms, and other functions.