handling DDoS to hosted CDN cache

Töma Gavrichenkov ximaera at gmail.com
Fri Jan 8 00:53:56 UTC 2021


Peace,

On Fri, Jan 8, 2021 at 3:28 AM Yang Yu <yang.yu.list at gmail.com> wrote:
> How often does your hosted CDN cache get DDoS'ed? I am curious how
> these get handled (especially when it would cause upstream/backbone
> congestion). Is this treated differently than DDoS to customers?

I'm assuming you're speaking about IP transit.  (For a datacenter, the
picture wouldn't be the same.)

Yes, it's different in that the malicious traffic would typically be
coming from your customers and you can mitigate it by tracing it back
to the sources (and by blocking the access to the IP from the outside
of your network, except for the outgoing connections), which is a good
thing.

> Any experience to share on working with CDNs to solve these issues?

Mostly to ensure that they only serve your hosted cache's IP to your
customer cone *at most* and to no one else.  (Isn't always the case
though.)

In certain cases (layer 7 attacks, I guess it's not your case) they
can also provide you with the list of IP addresses causing the heavy
load on the caching servers, even if not in realtime.

> If the cache provides flowspec feed, how useful would it be?

First, in my experience almost none of them do.

Next, I'm a firm believer in flow spec and automation but even I'd say
it's too dangerous anyway to just take that feed and use it right away
without a NOC supervision.  Not just the CDN NOCs are not necessarily
experts in DDoS and flow spec, but they also may have, I'd say,
different priorities than your network engineering team does.  As a
threat intelligence source, those might be useful though.

--
Töma


More information about the NANOG mailing list