CDN and DDoS Protection: 3 Layers of Mechanisms to Protect Your Website Security

In 2024, global DDoS attacks increased 46% compared to the previous year, with an attack occurring every 3 minutes on average. For website operators, DDoS protection has shifted from "optional" to "essential." The good news is that modern CDN services include built-in DDoS protection. This article will explore how CDN protects your website from attacks.

Worried about website security? If you're unsure if your current protection is sufficient, you can schedule a security assessment and let us help identify potential risks.

---

What is a DDoS Attack?

DDoS Definition

DDoS (Distributed Denial of Service) attacks occur when hackers use a large number of controlled computers (botnets) to simultaneously send requests to a target server, making it unable to serve normally.

To learn more about CDN basics, check out our complete guide.

DDoS Attack Types

DDoS attacks can be categorized into three levels:

Type	OSI Layer	Attack Method	Typical Techniques
Volumetric	Layer 3/4	Flood with massive traffic	UDP Flood, ICMP Flood
Protocol	Layer 3/4	Exhaust protocol resources	SYN Flood, Ping of Death
Application	Layer 7	Simulate legitimate requests	HTTP Flood, Slowloris

Layer 3/4 Attack Characteristics:

• Massive traffic (can reach several Tbps)
• Easy to detect (obvious traffic anomalies)
• Requires large bandwidth to absorb

Layer 7 Attack Characteristics:

• Lower traffic but harder to defend
• Mimics normal user behavior
• Requires intelligent analysis to identify

DDoS Attack Damage

Based on our security incident experience, DDoS attacks can cause:

Damage Type	Impact
Service outage	Website inaccessible, user loss
Revenue loss	E-commerce can lose hundreds of thousands per hour
Brand reputation	Customers lose confidence in service stability
Employee stress	Emergency response consumes significant manpower
Secondary attacks	DDoS may be a smokescreen for larger attacks

Why Websites Get Attacked

Common attack motivations include:

1. Business competition: Disrupting competitor services
2. Extortion: Demanding payment to stop attacks
3. Political/social issues: Targeting organizations with specific stances
4. Practice ground: Hackers testing new tools
5. Diversion: Covering other intrusion activities

---

How Does CDN Protect Against DDoS?

CDN naturally has the capability to resist DDoS attacks, stemming from its distributed architecture design.

Traffic Distribution and Absorption

CDN's first line of defense is distributing attack traffic across global nodes:

Operating Principle:

1. Attacker launches attack
2. DNS routes requests to multiple CDN nodes
3. Each node handles only a portion of traffic
4. Even if one node is overloaded, others continue functioning

Example: Assuming attack traffic is 100 Gbps:

• Without CDN: Your server must handle 100 Gbps
• With CDN (100 nodes): Each node handles only 1 Gbps on average

This is why even free CDN provides basic DDoS protection.

Intelligent Traffic Scrubbing

Modern CDN analyzes traffic characteristics, identifying and filtering malicious requests:

Scrubbing Mechanisms:

Technology	Description
Rate limiting	Limits request frequency from single IP
Behavior analysis	Identifies non-human request patterns
Reputation system	Scores based on IP history
Challenge verification	Requires CAPTCHA or JS Challenge
Signature matching	Matches known attack traffic patterns

Scrubbing Flow:

Attack traffic → CDN edge node → Traffic analysis → Drop malicious traffic
                                                    ↓
                                              Legitimate traffic → Origin Server

Edge Node Blocking

CDN blocks attacks at edge nodes, ensuring malicious traffic never reaches your server:

Benefits:

• Your server IP is hidden
• Origin Server completely unaffected
• No bandwidth cost increase
• Can focus on handling legitimate requests

This is why even free CDN plans provide basic DDoS protection capabilities.

Anycast Network Architecture

Anycast is the key technology for CDN DDoS defense:

BGP Anycast Principle:

• Multiple CDN nodes share the same IP address
• Routing automatically directs traffic to nearest node
• Attack traffic naturally distributes globally

Difference from Traditional Unicast:

Architecture	Unicast	Anycast
IP mapping	1 IP = 1 location	1 IP = multiple locations
Attack impact	Concentrated on single point	Distributed globally
Capacity	Single server	Sum of all nodes
Redundancy	Requires extra setup	Built-in

---

DDoS Protection Capabilities of Major CDNs

Cloudflare DDoS Protection

Cloudflare is currently one of the CDNs with strongest DDoS protection capabilities.

Free Plan Protection:

• Complete Layer 3/4 protection
• Basic Layer 7 protection
• Unmetered Mitigation (unlimited protection)
• No attack scrubbing fees

Advanced Protection Features (Paid):

Feature	Pro	Business	Enterprise
Advanced WAF	✓	✓	✓
Rate Limiting	Limited	Advanced	Custom
Bot Management	✗	✗	✓
Magic Transit	✗	✗	✓

Actual Case: In 2023, Cloudflare successfully blocked a 71 million RPS DDoS attack, setting a new record for Layer 7 attack scale.

For the complete Cloudflare setup tutorial, check out our guide.

AWS Shield

AWS's DDoS protection service has two tiers:

Shield Standard (Free):

• Automatically included with CloudFront
• Layer 3/4 protection
• No additional setup required

Shield Advanced ($3,000/month):

• Layer 7 protection
• 24/7 DDoS Response Team (DRT)
• Cost protection (compensation for attack-related extra costs)
• Real-time attack diagnostics
• AWS WAF free credits

Shield Advanced is suitable for:

• Enterprises with extremely high availability requirements
• Regulated industries (finance, healthcare)
• Organizations concerned about attack costs

For more on AWS CloudFront setup, check out our guide. For security feature comparisons across CDNs, also see CDN Vendor Complete Comparison.

Akamai Kona Site Defender

Akamai represents enterprise-grade DDoS protection:

Core Features:

• Over 1,400 Tbps scrubbing capacity
• Intelligent automated protection
• Customized protection rules
• Dedicated security team support

Suitable Scenarios:

• Large financial institutions
• Global e-commerce platforms
• Government agencies
• Critical infrastructure

Pricing: Enterprise quotes, typically requires annual contract

---

Other CDN Security Features

Besides DDoS protection, CDN provides multiple security features:

WAF (Web Application Firewall)

WAF protects against application layer attacks:

Protection Type	Description
SQL Injection	Prevents database injection attacks
XSS	Prevents cross-site scripting attacks
RFI/LFI	Prevents file inclusion vulnerabilities
RCE	Prevents remote code execution

WAF Features by CDN:

CDN	Free WAF	Paid WAF
Cloudflare	Basic rules	Complete OWASP rules
AWS WAF	Separate purchase	Per-rule pricing
Akamai	✗	Kona Site Defender

Bot Management

Distinguishing good bots from bad bots:

Good Bots:

• Search engine crawlers (Googlebot)
• Monitoring services
• Partner APIs

Bad Bots:

• Ticket scalping/purchase bots
• Content scraping crawlers
• Account cracking tools
• Inventory probing bots

Protection Mechanisms:

• JavaScript Challenge
• CAPTCHA verification
• Behavior analysis
• Device fingerprinting

Rate Limiting

Limiting request frequency to prevent resource abuse:

Configuration Examples:

• Login API: 10 requests/minute/IP
• Search function: 30 requests/minute/IP
• General pages: 1000 requests/minute/IP

Handling Exceeded Limits:

• Return 429 Too Many Requests
• Trigger CAPTCHA
• Temporarily block IP

IP Blacklist/Whitelist

Simple but effective access control:

Blacklist Uses:

• Block known malicious IPs
• Block attack source countries
• Block competitor crawlers

Whitelist Uses:

• Ensure partner access
• Internal IPs unrestricted
• Monitoring services not blocked

Worried about website security? Schedule a security assessment and let us help identify risks and build a protection strategy.

---

CDN Security Configuration Best Practices

Essential Security Features to Enable

Based on our experience, the following features should be enabled by default:

Feature	Importance	Description
HTTPS	Required	Use Full (Strict) mode
DDoS Protection	Required	Confirm auto-enabled
Basic WAF	Required	Enable OWASP basic rules
Bot Fight Mode	Recommended	Block malicious bots
Rate Limiting	Recommended	Protect APIs and login pages

Security Rule Configuration Recommendations

1. Hide Origin IP

• All traffic goes through CDN
• Don't expose real IP anywhere
• Update CDN settings after changing IP

2. Allow Only CDN IPs to Access Origin

• Configure firewall to only allow CDN IP ranges
• Cloudflare IP ranges: https://www.cloudflare.com/ips/
• AWS CloudFront IP ranges: AWS official documentation

3. Enable Origin Authentication

• Cloudflare: Use Authenticated Origin Pulls
• CloudFront: Use Origin Access Control

Monitoring and Alert Configuration

Continuous monitoring is the foundation of security:

Monitoring Items:

• Traffic anomalies (sudden spikes)
• Error rate increases (4xx, 5xx)
• Blocked request counts
• Origin response time

Alert Settings:

• Traffic exceeds 3x normal
• Error rate exceeds 1%
• Blocked requests exceed 1000/minute
• Origin response time exceeds 5 seconds

---

Attacks CDN Cannot Protect Against

CDN isn't omnipotent—some attack types require additional protection measures.

Application Layer Attacks

Attacks targeting application logic:

Attack Type	Description	Protection Method
Business logic attacks	Abusing normal functions	Application layer protection
API abuse	Mass legitimate API calls	Rate Limiting
Credential stuffing	Trying massive credential combinations	MFA, CAPTCHA

Attacks Targeting Origin

If attackers know your Origin IP:

Protection Measures:

1. Change Origin IP
2. Allow only CDN IP access
3. Use private network connections (like AWS PrivateLink)
4. Consider using tunnel technology

Additional Security Measures Needed

Beyond CDN, you may also need:

Requirement	Solution
Database protection	Database firewall
Internal threats	SIEM system
Malware	Endpoint protection
Authentication	MFA, SSO
Compliance	Security audits

---

Response Process During Attacks

Emergency Response Steps

1. Confirm if it's an attack

   • Check if traffic patterns are abnormal
   • Confirm it's not sudden legitimate traffic (like marketing campaigns)

2. Activate protection mechanisms

   • Increase CDN security level
   • Enable "Attack Mode" (like Cloudflare Under Attack Mode)
   • Enable additional verification mechanisms

3. Monitor and adjust

   • Continuously monitor attack traffic changes
   • Adjust rules to reduce false positives
   • Record attack characteristics for future analysis

4. Notify relevant parties

   • Notify internal team
   • If needed, notify customers
   • Consider whether to report to authorities

5. Post-incident review

   • Analyze attack source and methods
   • Update protection rules
   • Review response procedures

Prevention is Better Than Cure

Daily Preparation:

• Regularly test protection mechanisms
• Maintain response procedure documentation
• Backup critical configurations
• Stay in contact with CDN vendors

---

Conclusion: Building Complete Security Protection

CDN is the first line of defense for modern website security, but shouldn't be the only one. A complete security strategy should include:

CDN Layer (This Article's Focus):

• DDoS protection
• WAF
• Bot management
• Rate Limiting

To learn how to properly configure these security features, see CDN Settings Optimization Tutorial.

Application Layer:

• Secure code
• Input validation
• Authentication

Infrastructure Layer:

• Firewall
• Intrusion detection system
• Security monitoring

Process Layer:

• Security training
• Response plans
• Regular audits

The cost of security incidents far exceeds prevention costs. Schedule a security assessment and let us help you build complete protection. The CloudInsight team includes security experts who have helped over 30 enterprises build security protection systems.

---

FAQ

Is free CDN DDoS protection sufficient?

For typical websites, Cloudflare's free DDoS protection is already sufficient. It provides unlimited Layer 3/4/7 protection and has successfully blocked attacks of hundreds of Gbps. But if you need SLA guarantees or dedicated support, consider paid plans.

Will CDN charge me for DDoS attacks?

This depends on the CDN vendor. Cloudflare explicitly promises "Unmetered DDoS Mitigation" and won't charge for attack traffic. AWS CloudFront's Shield Standard is also free, but without Shield Advanced, attack traffic may generate bandwidth fees.

Should I use multiple CDNs to enhance DDoS protection?

Not recommended. Using multiple CDNs increases complexity, and each CDN needs to expose Origin IP, potentially increasing risk. A single reliable CDN with proper Origin protection is sufficient.

Will DDoS attacks affect SEO?

If a website is inaccessible for extended periods due to DDoS attacks, it may affect search engine rankings. But brief interruptions or CDN-returned challenge pages typically don't have significant impact, as search engine crawlers will retry multiple times.

Should I report attacks to police?

If attacks cause significant damage or you suspect targeted attacks, reporting is recommended. In Taiwan, you can report to the Criminal Investigation Bureau or Investigation Bureau. Preserving relevant logs and evidence is important.