CDN-on-Demand: An affordable DDoS Defense via Untrusted Clouds

We present CDN-on-Demand, a software-based defense that administrators of small to medium websites install to resist powerful DDoS attacks, with a fraction of the cost of comparable commercial CDN services. Upon excessive load, CDNon-Demand serves clients from a scalable set of proxies that it automatically deploys on multiple IaaS cloud providers. CDN-on-Demand can use less expensive and less trusted clouds to minimize costs. This is facilitated by the clientless secure-objects, which is a new mechanism we present. This mechanism avoids trusting the hosts with private keys or user-data, yet does not require installing new client programs. CDN-on-Demand also introduces the origin-connectivity mechanism, which ensures that essential communication with the content-origin is possible, even in case of severe DoS attacks. A critical feature of CDN-on-Demand is in facilitating easy deployment. We introduce the origin-gateway module, which deploys CDN-on-Demand automatically and transparently, i.e., without introducing changes to web-server configuration or website content. We implement CDN-on-Demand and evaluate each component separately as well as the complete system. 1 We use the method in [24] to identify whether a website uses a CDN: we query for its A and AAAA DNS records and check whether (1) the records point using canonical-name to a CDN, or (2) the website delegates DNS queries for its domain to a CDN's name server using an NS record; and (3) we retrieve the homepage of the website and check whether it obtains web-objects from one of the popular CDNs. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.