How to use an origin shield to protect your CDNs from DDoS attacks
A single distributed denial of service (DDoS) attack of any size can cripple content delivery networks (CDNs) for minutes, hours, or even days.
It’s a common enough situation that no business ever wants to face - total server outages with no redundancy forcing sites offline during periods of high and unpredictable traffic. Despite the existence of protective solutions, these incidents continue to happen.
One recent report from security firm NETSCOUT found that in the first quarter of 2021, there were 2.9 million DDoS attacks, a 31% year-over-year increase.
One of the ways of preventing DDoS attacks is through the use of what is called an origin shield, which acts as an additional cache layer between an organisation’s origin servers and their CDN edge servers.
While most organisations use caching to improve performance and maximise resources, not as many are taking advantage of origin shields to provide an additional layer of protection across their CDN architectures.
An origin shield’s caching layer prevents CDNs from becoming a source of DDoS attacks on their related origin servers.
Varnish Software’s Peter Löfling explains that there’s a simple principle at play: an origin shield designates a single (or multiple) proxy or cache point of presence (PoP) for incoming uncached requests, Whether it’s one request or millions, the origin is protected.
“The origin server is almost untouchable from the outside, receiving only the request from your designated shield PoP, which then caches and serves the content itself. This increases your cache-hit efficiency, lets you serve content faster and more efficiently, and keeps your site running smoothly (no downtime at origin).”
In multi-CDN configurations, such as those used in live video streaming or gaming services, origin shielding is important not only for protecting each CDN but also for providing high levels of service to customers.
According to a recent survey from Varnish Software, only 18% of organisations are using an origin shield product to protect their multi-CDN, and 27% are working on it. Twenty-five percent don't use one but are seriously considering it, 19% have considered but will not deploy, and 11% don't see the need.
While most organisations do see the value of origin shielding, many are neglecting their responsibilities to protect their multi-CDNs. And in the event of a DDoS attack, it could be a very costly oversight.
Löfling explains a few more benefits of origin shields:
- Protection for the origin against traffic overloads, maintaining high availability and redundancy in your setup
- Reduce risk from and gain protection against intentional DDoS and unintentional DDoS-like attacks
- Enjoy an extra layer of security at no additional cost or effort
- Enhance content delivery performance — faster and more reliable, thanks to better cache efficiency
- Resilience for secure, high-performance for both single and multi-CDN setups
In addition to providing the ability to shield multi-CDNs with origin shielding, Varnish Enterprise offers increased cache efficiency, boosts performance and resilience by reducing load on the company's origins while cutting costs.
Varnish uses what is called request coalescing (also known as request collapsing). This means if 20 people request the same content at the same time, Varnish only fetches the data from the origin only once.
It means that Varnish does all of the heavy lifting transparently, and shields the origin server from unnecessary traffic.
Interested in finding out more? Varnish explains the basics of origin shields in its latest ebook called Origin Shield: Protect Your Origin At All Costs. The ebook examines the origin shield as an essential component of high-performance content delivery and focuses on key points such as:
- What is an origin shield?
- How does it work?
- What are the benefits?
- More on Varnish CDN with origin-shield.