In the previous lecture, we covered what CDN is, and how it's used to protect you against DDoS attacks. In this lecture, we are going to take a more practical approach. And I'm going to explain you three different methods that are used by CDN providers. And I'm going to mention advantages and disadvantages of each and every method. So that at the end of this lecture, you will have a clear understanding of whether CDN can protect your particular system against DDoS or not. Here are the three methods.

The first one is DNS. Second one is a sub base shared tunneling like GRP tunneling, and the third one is direct tunneling. For example, l two TP tunneling. Let's start with the DNS based solution. What that is basically in this scenario, your CDN provider acts like your proxy. In other words, all the web traffic and DNS queries are going through your CDN provider.

Before they reach to your origin server, and therefore, your incoming web traffic is protected by your CDN provider. Now the advantages are, it is the cheapest solution, among others. And it's quite easy to implement, you just need to delegate the management of your DNS queries to your CDN providers. And basically, they will take care of the rest. They will take care of all DNS and web queries that your server will receive from that moment on. However, the disadvantages, it protects against only web and DNS traffic.

In other words, regarding all other kinds of attack vectors that we have covered so far, you won't be protected against any of them because it doesn't protect your origin IP below the application layer. Anybody with the reverse stick or similar tool can find out your origin IP. And instead of trying to reach to your server via your domain name, they can directly Reach to your IP address. And in that case, it will be again your responsibility to protect yourself against such attacks, not your CD ends. This is what is meant by doesn't hide your origin IP. Plus, it doesn't work with other application layer protocols like RTP.

To explain it more visually, suppose that a user here wants to reach to your origin to your website, this ad server of CDN will still provide the content and if he decides to try to attack you on the application layer with some HTTP or DNS requests, again, these attacks can be mitigated here at CDN. However, if the attacker finds out your origin and if he decides to directly attack your IP, then he will be unprotected you will have to take care of it by yourself. This is the drawback of DNS based approach. And the solution for that is the ASN based shared tunneling Also known as autonomous system number. In this scenario, it's impossible to directly reach to your server because here, your CDN provider will broadcast your origin IP addresses as part of its own ASN. So, even if somebody finds out your origin IP, this traffic will have to go through C DNS network.

In other words, even if they decide to attack directly to your origin IP, there will be no way that you will directly receive this traffic directly. All of the packets regardless of whether it is an application layer packet, or transport layer packet, or internet layer packet, all of them will have to go through CDN network. As a result, the next advantages is not limited to application layer protocols like web or DNS. It can protect you against anything like SYN floods or any kind of network or internet layer DDoS attacks Disadvantages, there might be configuration issues, because the configuration is not straightforward. In that case, plus, it's a more expensive solution. And the quality of the network depends on the quality of the tunnel.

Here. The thing is, since you're sharing the bandwidth with other clients in a way you depend on the other clients of the CDN as well. Therefore, even though your tunnel is dedicated only for you, like through GRP encryption, for instance, you might still encounter network issues due to the bandwidth which can take the tunnels to the downstate. Another thing to remember, which is actually not written here is that even though the incoming traffic will go through your CDN provider and let's say this is your origin, and this is the client. So even though all the traffic We'll go through CDN to you, the outgoing traffic will go directly to the client. In other words, you're protected against the DDoS attacks, which is fine.

However, you still directly connect to the client when you're sending responses to those packets. Actually, this is another big issue when it comes to the details, because DDoS is, as you know all about the incoming traffic. However, I just wanted to mention this as a footnote, so that you will be aware of this direct connection before choosing the ASN based solution. The final one is direct tunneling. This is a dedicated tunnel and bandwidth for you by your CDN provider. So you're not sharing anything with anybody in this case.

Again, this can protect against multiple protocols. And in this case, quality of the channel is guaranteed by your CDN but disadvantages Basically, it's even more expensive. And in most cases, it's too expensive actually. So for small and medium enterprises, it wouldn't make any sense at all.