Questions tagged [cdn]

Security practices of as well as security implications of using a Content Delivery Network such as Cloudflare or Akamai.

29 questions
70
votes
2 answers

How can ISPs handle DDoS attacks?

How can an ISP with low bandwidth like 50 Gbps handle a DDoS attack with more than this? I know there is a solution called "Black Hole". Is this enough to mitigate DDoS attacks or are there any other enterprise solutions? What kind of DDoS…
R1W
  • 1,617
  • 3
  • 15
  • 30
22
votes
3 answers

How does a company like CloudFlare block bot crawling and email harvesters?

I saw this on CloudFlares homepage: CloudFlare protects against a range of threats: cross site scripting, SQL injection, comment spam, excessive bot crawling, email harvesters, and more. How could a company like CloudFlare block crawler bots and…
Anders
  • 64,406
  • 24
  • 178
  • 215
9
votes
3 answers

How can CloudFlare provide a valid SSL certificate for domains not under its control?

CloudFlare provides a reverse proxy, and it offers SSL support ("flexible", "full", "strict full", and "keyless"). How does CloudFlare manage to get a valid certificate for domains it does not own? Don't the certificate authorities normally require…
Flimm
  • 1,230
  • 3
  • 13
  • 22
7
votes
2 answers

How does a CDN actually prevent DDoS attacks, when an origin server accepts direct connections?

I am trying to understand how a CDN (like Cloudflare e.g) does protect against a DDoS attack. I would think that the internet traffic is routed through a CDN's reverse proxy, then filtered. This assumes that the DNS record of the website in question…
Marcel
  • 3,494
  • 1
  • 18
  • 35
6
votes
3 answers

What is the Akamai Name Server I see for some big companies?

I have played with DNS a lot lately, and I have found that some big companies' web sites use the Akamai NS as the Name Server for their WWW servers, for example: $>nslookup > www.redhat.com Server: 192.168.43.1 Address: …
Hanan N.
  • 1,129
  • 5
  • 12
  • 22
5
votes
2 answers

Does Cloudflare masking my IP make my server more secure?

I've heard in a conversation and read in some forum posts that Cloudflare will proxy your IP, hiding it from the public, and this mitigates the risk of an attacker finding your server in the first place, making it more secure. Is there any truth to…
TCooper
  • 336
  • 1
  • 8
5
votes
2 answers

How can cloudflare read encrypted request without private key?

We have Cloudflare in our production server and the encryption level is full, not flexible. This webpage said Cloudflare can decrypt the request. But we didn't give our server's private key to cloudflare. How this even possible? Does this mean…
3
votes
0 answers

Risks of not enabling HSTS on a static content subdomain. Even though main domain does have hsts

I'm investigating an issue where our static content (js, css) is deployed in AWS Cloudfront under a subdomain of our main website and doesn't have HSTS enabled. The main domain does have HSTS enabled however. Presuming our content in our main…
Cyassin
  • 503
  • 2
  • 6
  • 12
3
votes
1 answer

How to protect a website from DDoS without a CDN?

I have basic knowledge in Bash and with that knowledge I rented a remote machine in a mostly-self-managed hosting platform (DigitalOcean) and raised a LEMP environment on which I have a website. I protect my environment with SSHguard. I applied…
user9303970
  • 443
  • 1
  • 4
  • 15
2
votes
2 answers

Is there a security risk in hosting an app's HTML/JavaScript payment system on a CDN?

We have a mobile app (React and Expo) in which the user is able to provide payment via Stripe. Our implementation uses a WebView which renders HTML and JavaScript content, which in turn pulls in the Stripe JavaScript client and implements the…
jlmt
  • 123
  • 2
2
votes
0 answers

How can an attacker hijack js/css content?

I just encounter an issue, the cached js files showed porn site Here's the simple network diagram. https://cdn.mysite.com/js/app.js shows a porn site, but if I add in query string https://cdn.mysite.com/js/app.js?t=20180928130702, then it displays…
Js Lim
  • 121
  • 3
2
votes
1 answer

Is it secure to handle the OAuth 2 Authorization callback from a CDN?

This question is in the context of the OAuth 2.0 Authorization Framework. Consider a web application that is backed by a first-party API but relies on a third-party authorization server for SSO. Say the index page for the application is hosted on…
Ed I
  • 121
  • 2
2
votes
1 answer

Is there a multi-layered DoS protection which can be tightly integrated with cloud hosting services?

I know that one can deny services (DoS) in any of the 7 layers of the OSI model and that in principle, a denial can be done by a single entity (human or machine) or from 2 or more such entities ("distributed" - DDoS). I also understand that: On…
user123574
1
vote
2 answers

Do CloudFront edges talk to custom origins over open (non-AWS) networks?

Where the custom origin server for an AWS CloudFront distribution is an EC2 instance accessible with a public DNS record, do CloudFront edge locations talk to it over the open Internet — as opposed to AWS-only network? If they use AWS-only networks…
Greendrake
  • 669
  • 1
  • 8
  • 17
1
vote
1 answer

DDoS might be very unlikely to happen to my website but in any case a CDN that should protect from it slows my website

I humbly assume that DDoS is very unlikely to happen to my website. A CDN that should protect from it slows my website according to my personal experience and tests (perhaps only because of the strange demand to have all webpages redirected to www.…
1
2