How do CDNs protect failover sites from DDoS attacks?

Question

I'm in the design process for a Java web app that I will probably end up deploying to Google App Engine (GAE). The nice thing about GAE is that I really don't have to worry about fortifying my app from the dreaded DDoS attack - I just specify a "billing ceiling", and if my traffic peaks up to this ceiling (DDoS or otherwise), GAE will just shut my app down. In other words, GAE will essentially scale to any amount until you simply can't afford to keep the app running any longer.

So I'm trying to plan a contingency whereby, if I do hit this billing ceiling and GAE shuts my app down, my web app domain DNS settings "fail over" to another, non-GAE IP address. Some initial research has shown that certain CDNs like CloudFlare offer services for this exact situation. Basically, I just keep my DNS settings with them, and they provide an API I can hit to automate a failover procedure. Thus, if I detect that I'm at 99% my billing ceiling for my GAE app, I can hit this CloudFlare API, and CloudFlare will dynamically change my DNS settings to point away from the GAE servers to some other IP address.

My initial contingency would be to failover to a "read-only" (static content only) version of my web app hosted somewhere else, maybe by GoDaddy or Rackspace.

But then it suddenly dawned on me: if DDoS attacks target the domain name, what difference does it make if I rollover from my GAE IP address to my (say) GoDaddy IP address? In essence, the failover wouldn't do anything other than allows the DDoS attackers to bring down my backup/GoDaddy site!

In other words, DDoS attackers coordinate an attack on my web app, hosted by GAE, at www.blah-whatever.com, which is really an IP address of 100.2.3.4. They cause my traffic to spike to 98% my billing ceiling, and my custom monitor triggers a CloudFlare failover from 100.2.3.4 to 105.2.3.4. The DDoS attackers don't care! They're still launching an attack against www.blah-whatever.com! The DDoS attack continues!

So I ask: what protection do CDNs like CloudFlare offer so that - when you need to fail over to another DNS - you aren't at risk for the same, continued DDoS attack? If such protection exists, are there any technical restrictions (e.g. read-only, etc.) that are placed on the failover site? If not, what good are they?! Thanks in advance!

Answer 1

I work for Incapsula, a Cloud Security company that also provides CDN based acceleration services (like CF).

I want to say that while (as correctly stated by @Billy ONeal) CDN by itself provides no DDoS protection, a Cloud based Proxy Network is a VERY effective DDoS mitigation tool.

And so, in case of DDoS on Cloud CDN, it is not the "CDN" but "Cloud" that protects you by taking in all the extra traffic generated by DDoS, while still allowing access to your site from different POPs around the world.

Also, because this a front-gate proxy solution, this technology can be used to mitigate level 3-4 network DDoS attacks (i.e. SYN Floods) which use spoofed IPs to send numerous SYN requests to your servers.

In this case a proxy will not establish a connection until an ACK response is received, thus preventing the SYN flood from happening.

There are also other ways you can use Cloud for website security (i.e. Bad Bot Blocking, Cloud-based WAF) and some of these can be also used for DDoS mitigation or prevention (stopping scanner bots is a good example for the later) but the main thing to understand here is that this is all based not on CDN but on Cloud technology.

Answer 2

They don't protect against DDoS attacks when in this configuration. A CDN doesn't "protect" against a DDoS attack -- they just mitigate its effects by having lots of hardware and bandwidth to throw at the problem. When the CDN changes the DNS settings to point directly at your server, the CDN is no longer handling requests for your website -- the clients never see the IP of the CDN, so the CDN can no longer offer you protection.

As far as "what good are they" -- DDoS attacks are not the point of using a CDN. The point of using a CDN is to decrease the latency between when someone requests a large chunk of data from one of your web servers and that person getting the data, by shortening the geographical distance between the server and the client. It's a perf optimization you can make; but it's really not designed to provide security from DDoS.