CDN, WAF, WAAP... What do you use?

gamesover

James Moberg

Posted on September 20, 2024

CDN, WAF, WAAP... What do you use?

In the early 2000s, many of our customers still viewed the internet as a passing trend. During this period, we operated a ColdFusion 4.5 (or 5) web application on a Windows server utilizing an Access database. Initially, we relied on a dedicated T1 connection. Over time, we upgraded to a dual T1 setup and subsequently became pioneers in our region by adopting fiber optic technology. However, due to power supply issues in California, we decided to move our servers to a dedicated facility in the San Jose area. (This shift is a tale for another occasion.)

One notable experience involved a political website for a college that we managed and hosted. After being featured on MTV, the resulting surge in traffic overwhelmed our T1 connection, rendering access to anything else impossible. Despite the challenges, we persevered through the ordeal.

Fast forward 10-15 years, and we faced a similar issue, but this time it was far more serious and lasted a couple of days. One of our websites became the target of a massive Ransom DDoS (RDDoS) attack that overwhelmed our upstream partner (1 Gbps bandwidth) and blocked traffic to our servers. Although our servers were accessible through a VPN, they were not publicly reachable via HTTP/S. In an effort to protect ourselves, we mistakenly believed we could disable the target IP and assign a new one through DNS. This strategy had no effect and only prompted the attackers to redirect even more traffic to our IPs while sending mocking emails about our futile attempts.

This experience served as a harsh wake-up call, and we gained valuable insights from it (and we're still learning). Our key takeaway was that to prevent similar issues in the future, our*website's origin IP must remain hidden from public access*. We collaborated with a cloud-based DDoS provider, and after numerous DNS updates and server adjustments, we ensured that all our websites are now accessible only through this provider. Our partnership was going well until the provider changed their terms, discontinued their CDN services, and ultimately went bankrupt. Fortunately, we swiftly migrated all routing to Edgio and moved our static resources to Bunny CDN.

CloudFlare is another popular option, but your mileage may vary depending on the quantity of projects that you need to protect and amount of traffic you receive. It was one of the services that we compared before choosing Edgio.

What third-party services do you use to protect your web applications? Let me know in the comments below.

Edgio

Edgio has 250 Tbps of bandwidth capacity and is one of the only edge platforms in the market to provide fully comprehensive application security and L3/4/7 DDoS protection, supported by their managed security team and 24×7 SOC.

Edgio Prevents Massive DDoS Attack - June 22, 2022

Edgio representatives recently discussed our "cache/hit ratio" with us, indicating it was quite poor and shared some suggestions. However, this concern turned out to be a false positive, as all static website resources (which should be cached) are delivered through the Bunny CDN network. The only traffic that passes through the Edgio WAAP consists of document and API requests.

Bunny CDN

Bunny CDN is exceptionally user-friendly and simple to set up. Their API allows us to effortlessly purge cache items. We implement URL rewrites to embed hashes in our resource file paths, ensuring that updated files are promptly cached anew, distinct from previous URLs. While conventional wisdom suggests appending cache busters as parameters to URLs, this method lacks consistent efficacy. Bunny CDN features pay-as-you-go pricing. Explore their offerings and evaluate them against alternative services.

💖 💪 🙅 🚩
gamesover
James Moberg

Posted on September 20, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related