Backend DDoS Protection
- Is your website hosted behind a CDN?
- Could an attacker brute force or guess your website’s origin URL?
- Are your origin servers hardened against DDoS threats?
A common website configuration consists of hosting your applications with infrastructure providers (e.g. Azure, AWS, Heroku, and many more) and serving that behind a CDN platform that specializes in DDoS protection (e.g. Cloudflare, Akamai, Fastly, or others). One benefit of this setup is DDoS resistance. The CDN soaks up DDoS traffic and doesn’t pass it through to the origin webservers, which are less stable under extremely high load and costs more for usage spikes. This is a good setup, but make sure that an attacker can’t find or guess your origin webserver’s URL or IP. For example, if your website is example.com on Cloudflare and your webservers are hosted on Azure, your website might also be accessible on the origin URL example-suffix.azurewebsites.net.
There are 3 main ways to mitigate this attack vector:
- Whitelist the IPs of your CDN on your origin servers. This may or may not be feasible depending on your providers.
- Randomize your origin hostname. This is effective against brute-force guesses, but it is not effective if your origin address is leaked some other way.
- Activate DDoS protection services with your origin hosting provider. This will cost money.
If you are worried about DDoS attacks, we recommend you implement as many of those 3 mitigations as you can.