A CDN’s DDoS protection doesn’t stop an attack; it absorbs it, making the attack invisible to your origin.
Let’s see this in action. Imagine a simple Nginx server acting as our origin, serving static files.
server {
listen 80;
server_name example.com;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Now, we put a CDN in front of it. The CDN has a global network of edge servers. When a request for example.com arrives, it hits the nearest CDN edge server. If that server is configured for DDoS protection, it first checks the request against a set of rules and rate limits.
If the request looks legitimate, the edge server forwards it to your origin (the Nginx server). If it looks malicious, or if the rate of incoming requests from a single source exceeds a defined threshold, the edge server drops the request. It never even makes it to your Nginx server. The user experiences a slow load or a timeout, but your origin server remains unaffected.
The core problem DDoS protection solves is overwhelming your origin’s capacity. A Distributed Denial of Service attack floods your server with so much traffic that legitimate users can’t get through, or the server crashes entirely. A CDN acts as a buffer, a massive, distributed front line that can handle a volume of traffic far exceeding your origin’s capabilities.
Here’s how it works internally, broadly speaking:
- Traffic Interception: The CDN reroutes your domain’s DNS A/AAAA records to point to the CDN’s IP addresses. All incoming traffic now hits the CDN’s edge network first.
- Request Filtering: At the edge, traffic is inspected. This involves:
- IP Reputation Lists: Checking against known malicious IP addresses.
- Rate Limiting: Setting limits on requests per second from individual IPs or IP ranges.
- Geo-blocking: Blocking traffic from specific countries if your audience is localized.
- HTTP Protocol Validation: Dropping malformed requests that don’t adhere to HTTP standards.
- WAF (Web Application Firewall) Rules: More sophisticated rules that look for attack patterns in request headers and bodies (e.g., SQL injection attempts, cross-site scripting).
- Mitigation: If traffic passes initial checks, it’s forwarded to the origin. If it fails, it’s dropped at the edge. For volumetric attacks (like UDP floods), the CDN’s massive bandwidth absorbs the traffic. For application-layer attacks, the WAF and rate limiting are key.
- Caching: Legitimate, frequently requested content is served directly from the CDN’s cache, reducing load on the origin and improving performance.
The levers you control are primarily within your CDN provider’s dashboard. You’ll typically configure:
- DDoS Protection Level: Often a simple toggle or a few preset levels (e.g., "Basic," "Advanced," "Aggressive").
- Rate Limiting: Specific thresholds for requests per second, often configurable per URL path or HTTP method. For example, you might set
POST /api/loginto a maximum of 10 requests per second from a single IP. - WAF Rules: Enabling pre-defined rule sets (e.g., OWASP Top 10) or creating custom rules based on specific request patterns.
- Geo-blocking: Specifying countries to block or allow.
- IP Blacklists/Whitelists: Manually adding or removing IPs.
- Challenge Mechanisms: For suspected bots, you can configure challenges like CAPTCHAs or JavaScript challenges that the client must solve to proceed.
When a botnet starts hammering your site with millions of requests per second, the CDN’s edge servers, distributed globally and provisioned with immense bandwidth, will absorb the brunt of this traffic. They’ll intelligently drop the malicious packets based on configured rules and rate limits, preventing even a single packet from reaching your origin server. Your origin server continues to serve legitimate users as if nothing is happening.
Most people understand that CDNs cache content. What they often don’t realize is that the same global network infrastructure used for caching is also the primary mechanism for DDoS absorption. The edge servers, capable of serving millions of requests per second for cached content, are also capable of dropping millions of requests per second that are deemed malicious, without impacting the origin. It’s a dual-purpose, massively scaled defense.
The next step is often integrating a more advanced WAF for application-specific attack vectors.