Choose a CDN Vendor: The Best Technical Questions to AskBack
Each CDN vendor has its own strengths, and CDNs that protect against DDoS attacks are popular for website security. What should you think about when making your choice?
CDN Vendors are Not All Like! Can CDN Stop DDoS Attacks?!
Outside of its primary role to accelerate web content delivery, the current CDN also includes DDoS protection. Since a CDN acts as an intermediate between users and servers, its position as an aggregation of traffic makes it the best platform to deploy DDoS mitigation services. As cyber attacks become increasingly rampant, a CDN with DDoS defensive function has become an indispensable part of cybersecurity.
If you are currently considering using DDoS mitigation services on your website, you may want to consider the advantages of a defensive CDN:
CDN Can Block DDoS Attacks and Decrease Bandwidth Costs
A CDN completely conceal the origin servers of the website. Whether it’s a real user or a hacker, all they can resolve is the PoPs (Nodes) location of the CDN, and access to the origin servers are off limit to these requests (the origin servers can set up firewall to only allow requests from CDN PoPs). When an attack occurs, the DDoS mitigation service on the CDN will eliminate the malicious traffic, allowing only requests from real users to pass through, so you don’t have to worry about whether the server resources or bandwidths are sufficient, giving you great cost savings in addition to website security. On the other hand, without a CDN, your websites will be directly exposed to the Internet. Once your website’s IP has been targeted and injected with attacks (a conventional network service cannot flexibly replace upstream ISP/IP), you will need to invest significant resources and bandwidths to address these attacks, which is a waste of expenses.
Comprehensive, Real-time Log for Advanced Security Strategy
Additionally, a DDoS defensive CDN does not require external LOG solution, as the CDN’s management platform collects records of all requests, so users can clearly view all normal requests and malicious requests that are blocked, allowing better analysis and deployment of website security strategies.
Platform Integration: WAF——Essential for DDoS Mitigation
DDoS attacks that target Layer 7 are some of the most difficult to defend against. In addition to a scrubbing center that can mitigate L3 and L4 attacks, a comprehensive web application firewall (WAF) is also one of the most important services of a DDoS defensive CDN. A single CDN management platform integrates all security functions, for example, WAF rule settings can be used to block requests from non-customer countries with IP Geo-location database updated in real-time by ApeiroCDN.
Conversely, if a DDoS defensive CDN is not used, users will often need to purchase expensive equipment just to operate WAF services, as well as dealing with issues such as certificates and encryption/decryption, requiring careful consideration and evaluation of maintenance human resources and budgets.
4 Questions to Ask a CDN Vendor for Choosing a DDoS Solution
Q1: What is the biggest attack you have mitigated so far?
While there are many CDN vendors claiming to have DDoS mitigation, most of them have a upper limit to traffic scrubbing. However, ApeiroCDN offers Tb+ scrubbing bandwidth and unlimited DDoS mitigation protection. If an attack occurs just as the scrubbing bandwidth is exhausted, service interruption may occur. In this case, enterprise clients will either have to purchase additional scrubbing capacities or upgrade bandwidth, which can be significant losses to customer experience and operational costs.
Q2: What WAF functions do you have? What is your WAF’s accuracy?
The WAF functions and limitations differ between CDN vendors. Most vendors only provide some (single digits) entry-level WAF configurations. In contrast, ApeiroCDN provides up to 500 multifunctional WAF rule protections. By setting multiple WAF rules and conditions, users can precisely block abnormal requests. For example, if you want to block requests from the U.S., but also open access to only a certain IP/telecom companies/User-agent from the U.S., you can use multiple WAF rules to achieve your objective and create a sophisticated and precise defensive strategy.
Q3: What are your regions of expertise? How is your performance in China?
Currently speaking, there are very few CDN vendors in the China that provide both website acceleration and premium DDoS defenses. Many CDN vendors that offer protection against high attack traffic loads in China have inversely proportional routing performances. ApeiroCDN is the “only” CDN vendor that provides mass scale DDoS mitigation and excellent acceleration performance in China. Most CDN vendors that advertise DDoS attack mitigation often utilize cheaper networks that are located outside the border of China, such as scrubbing centers located far away from China/Asia. However, ApeiroCDN’s scrubbing center is located right in the Asian region, ensuring high quality services.
Q4: Do you use independent CDN PoPs (Nodes) resources?
ApeiroCDN offers dedicated VVIP services, each customer has its own independent resources that do not interfere with each other (e.g. Attack on Customer B also impacts services of Customer A). This is akin to a user having his/her own lane on a highway, where services remain unaffected even when there are congestions or accidents in other lanes. However, if resources are shared, then services can be affected by the different usage between users.
ApeiroCDN has the advantages of a one-stop integration service that include Tb+ DDoS scrubbing service, sophisticated WAF protection, comprehensive request logs, customizable monitoring dashboard, attack alert mechanism, 24/7 real-time technical customer service, and CN2 networks for China, all integrated onto the management platform. Users can easily maintain thousands of domains with our management solution.