How does a CDN actually prevent DDoS attacks, when an origin server accepts direct connections?

Question

I am trying to understand how a CDN (like Cloudflare e.g) does protect against a DDoS attack.

I would think that the internet traffic is routed through a CDN's reverse proxy, then filtered. This assumes that the DNS record of the website in question points to a CDN reverse proxy of course.

Now, should I / must I have a Firewall at my orginal server that only allows connections from a CDN-related IP?

Note: In this support article, when under attack, Cloudflare suggest to change the origin IP and update some routing:

If an attacker is directly targeting your origin web server, request your hosting provider change your origin IPs and update the IP information in your Cloudflare DNS app. Confirm all possible DNS records are orange-clouded and that your name servers still point to Cloudflare (unless using a CNAME setup) before changing your origin IP.

Why do they not recommend using a Firewall? Now, their solution will have a short term effect, but can be circumvented easily.

Is changing only the IP bad advice? Am I understanding something wrong here?

Answer 1

IP whitelist is an imperfect solution because it's fiddly. CloudFlare's global network of reverse proxies themselves aren't necessarily a static list of IP addresses. If CloudFlare added new IP Range, some of CloudFlare's servers may not be able to reach your Origin server until you update your Firewall, and your application could be experiencing a brownout for many of your users that you may never notice and is really hard to debug even when you do because everything is working perfectly fine from your vantage point. The maintenance busywork to keep the whitelist of IP addresses on your firewall up to date will be just as problematic as handling a DDoS.

The main idea of CloudFlare's CDN protection is by hiding your Origin Server's real IP address from publicly accessible database like the DNS system. This makes it much more difficult for an attacker to discover where to direct their attack to your Origin server.

Additionally, if your firewall appliance can actually handle the direct DDoS load, then your attacker is probably not big enough yet for you to actually be needing a DDoS protection. So the suggestion to just skip town and change your public IP is sensible as it's likely the fastest way to alleviate the impact of an active attack.

CloudFlare's solution to protect your Origin Server from direct traffic is to use Authenticated Origin Pull (free), which would have CloudFlare use a TLS Client certificate when making a connection to your Origin server, or Argo Tunnel (additional cost), which will require you to run a cloudflare agent daemon inside your network to maintain an outgoing connection to one of CloudFlare's point of presence.

Answer 2

"Now, should I / must I have a Firewall at my orginal server that only allows connections from a CDN-related IP?"

I think it's a good idea. Cloudflare use to not recommend it, as they claimed that sites on the free-tier would have a limited DDOS support before they started offloading traffic directly to origin. However, I cannot find those links anymore, and cloudflare claim an unmetered DDOS protection.

In any case, if you're really being DDOS-ed badly, paying the cloudflare subscription would be much cheaper way of solving the problem, than trying to fix it yourself.

"Why do they not recommend using a Firewall? Now, their solution will have a short term effect, but can be circumvented easily. "

You're right, if your website is somehow leaking your IP, like for example, an attacker can subscribe to an alert that will come directly from the server IP, merely rotating the IP would not be effective.

You'll need to somehow prevent access form non-cloudflare IPs, preferably at the platform level using AWS Security Groups for example, rather than a firewall on the server.