Developing a serious online project, you can’t afford downtime: your services and pages should be available around the clock. Therefore you should always keep tabs on website security and prevent possible DDoS attacks and other attempts to damage your site.
Most common attacks are performed by sending too many external requests to the server so that it could not anymore process legitimate requests, or worked too slowly making websites unavailable for users.
CDN (Content Delivery Network) has features that prevent DDoS attacks. A network consists of numerous high-capacity servers that distribute load and allow handling much more content than a single hosting server. Besides, CDN service features DDoS protection (firewall) and skilled technical staff who can deal with it. However, every CDN solution works on the basis of user’s own server that is called CDN origin. The content is initially loaded on the origin server and only then is cached on edge servers. If hackers manage to disrupt the origin server, it will damage functionality of the whole CDN network. It will make website unavailable, or only partially available.
There are three options for effective protection of CDN origin server, and all of them have the same idea at the base: you should allow requests coming from CDN only. All external requests should be blocked.
Limitation of IP rate
If you limit IP rate, you will receive only some certain amount of requests from an IP address during some certain period. But this may not work well with CDN service, because CDN has to process a lot of valid requests from a few IP addresses, and each of them should go through.
Whitelisting
This approach may appear to be more helpful. It works the following way: you include some unique identifiers in a request header, and only requests containing it are passed through. But when whitelisting IP addresses you should consider all IPs of every CDN edge server so that they could access the origin. But what if CDN companies won’t give you their server IPs? Or will just forget to inform you about new IPs? It will lead to problems.
Whitelist a unique identifier in a request header, and CDN servers will include unique info in the requests sent to the origin for them to pass through. Ask if your CDN provider has such possibility. This method is helpful, but not 100% reliable. If hackers get to know request headers, they will easily to fake requests.
Use complicated origin hostname
This is a simple and yet smart idea. Generate a random set of numbers and use them as a subdomain. Only CDN network, origin server owner and DNS provider should be aware of this hostname. The chance it will be revealed is low. Whitelist request with this hostname, and your website will be safe.
Site Title 