Peace, On Fri, Jan 8, 2021 at 3:28 AM Yang Yu <yang.yu.list@gmail.com> wrote:
How often does your hosted CDN cache get DDoS'ed? I am curious how these get handled (especially when it would cause upstream/backbone congestion). Is this treated differently than DDoS to customers?
I'm assuming you're speaking about IP transit. (For a datacenter, the picture wouldn't be the same.) Yes, it's different in that the malicious traffic would typically be coming from your customers and you can mitigate it by tracing it back to the sources (and by blocking the access to the IP from the outside of your network, except for the outgoing connections), which is a good thing.
Any experience to share on working with CDNs to solve these issues?
Mostly to ensure that they only serve your hosted cache's IP to your customer cone *at most* and to no one else. (Isn't always the case though.) In certain cases (layer 7 attacks, I guess it's not your case) they can also provide you with the list of IP addresses causing the heavy load on the caching servers, even if not in realtime.
If the cache provides flowspec feed, how useful would it be?
First, in my experience almost none of them do. Next, I'm a firm believer in flow spec and automation but even I'd say it's too dangerous anyway to just take that feed and use it right away without a NOC supervision. Not just the CDN NOCs are not necessarily experts in DDoS and flow spec, but they also may have, I'd say, different priorities than your network engineering team does. As a threat intelligence source, those might be useful though. -- Töma