Content Delivery Networks (CDNs) of various kinds have been reviewed by cyber security experts from a wide array of perspectives, especially how hackers used them as weapons and instruments of DDoS attacks to the way bad actors used free services to make herculean billing issues.
Content Delivery Networks have often been used to hurt Application Program Interfaces (APIs) as well as conduct web reflector attacks that plague the internet through bots and scrapers. Almost 60% of the internet is because of such abuse of internet resources.
Those who were to reflect on such an idea would start questioning the notion of a CDN protecting them. At one time, a CDN was never deemed worthy of protection until now. Then again, they have loopholes and we will check them in detail.
Can CDNs be really problematic?
At numerous cyber security conferences, researchers indicated and demonstrated how easy it was to bypass security in older versions of most content delivery networks (CDNs). One of those attacks is demonstrated by simply uploading an avatar to a forum, one user can easily unveil the IP of the origin servers of that forum.
Another attack exhibited the way a fake DMCA takedown worked. Once the content was removed from a website at the request of the site/content’s owner, such an attack forced either the ISP or Cloud service providers to reveal the origin server.
The methods and practices of Hackers have now evolved. They now have changed their methods to use the target’s defense systems as a weapon of attack and choice.
Firsthand knowledge from response teams of most cyber and technology firms who have dealt with such attacks before revealed that there is a trend. Attackers are using security tools to weaponize them in carrying out DDoS attacks.
There are data centers that use Netflow sampling in the detection of impending attacks. Here, samples out of each 10,000 request a client-server receives is analyzed. Once an attack is detected, either the cloud or CDN provider can divert the traffic to a mitigation center present on the network.
Through such an approach, attackers can hence detect that the path to their network is no longer 10 clicks away. Theoretically, it might only be approximately 15 clicks away. Once the path has been decided or changed, attackers can hence spoof the server’s IP and send in corrupt data packets to the server directly. Hence, they avert the mitigation tools based on traffic flow.
Essentially, the defense mechanisms hence become part of the weapon that is supposed to prevent the attacks from happening.
What do renowned cybersecurity firms have to say in this matter?
Numerous cyber security firms of good repute have seen such attacks happen numerous times and at times, it is quite difficult for service providers to determine if their tools are part of the problem. Even on the best of defense and DDoS Protection Service systems, it can cause issues and wreak havoc.
What can CDN providers do to counter this threat?
As an effort of combining resources to improve defenses, some CDN providers have implemented open-source tools in their networks. Here are some things to be aware of and professionals can ask questions regarding this approach.
Let us consider the implementation of a new rule. How long does it take for a new rule to be implemented into a particular configuration? Some providers have a service level agreement (SLA) of about 30 minutes. Others may have SLA going up to 24 hours.
Hackers do not limit their creativity. There is a group known as the Lizard Squad and they claim to have both hacked and controlled more than 250,000 home routers (a quarter of a million and this is quite a number!).
Suppose Clients would ask their CDN service providers to ask to block those infected routers. That would mean catastrophe because half of them might actually be customers. Similarly, how many of them are even real? If the defense is based on IP blocklists then companies could be potentially blocking their own clientele. This can lead to quite a conundrum.
If in case, such a thing even happens, can a cloud or CDN be able to detect and differentiate whether or not the requests coming through is a question that can really undermine and question the efforts of cyber security teams and the kind of CDNs deployed?