The False Sense of Security
You've deployed Cloudflare. Or Akamai. Maybe AWS CloudFront. Your security team checked the box: "DDoS protection - done."
But here's what nobody tells you: CDN protection only works if attackers can't find your origin servers.
And they almost always can.
The Origin IP Problem
When you put a CDN in front of your infrastructure, traffic flows like this:
User → CDN (protected) → Origin Server
The CDN absorbs DDoS attacks, filters malicious requests, and caches content. Perfect, right?
Wrong. Here's what actually happens:
Attacker → DNS History → Origin IP → Direct Attack (bypasses CDN)
How Attackers Find Your Origin
- Historical DNS Records: Services like SecurityTrails archive every DNS record ever published. Changed your IP after adding a CDN? The old one is still in the history.
- SSL Certificate Transparency: When you request an SSL certificate, it's logged publicly. These logs often contain origin IP addresses.
- Email Headers: If your server sends email, those emails contain your origin IP in the headers.
- Subdomain Leakage: Your main site is behind Cloudflare, but is
staging.example.com? What aboutapi-internal.example.com? - Cloud Metadata: AWS, Azure, and GCP instances have predictable IP ranges. Attackers scan these looking for your application signatures.
Real-World Impact
We analyzed 500 enterprise domains with CDN protection. The results were concerning:
| Finding | Percentage |
|---|---|
| Origin IP discoverable | 73% |
| Direct origin access possible | 61% |
| No origin IP whitelisting | 84% |
| Multiple unprotected subdomains | 67% |
73% of CDN-protected sites had discoverable origin IPs. This means an attacker can bypass millions of dollars in CDN infrastructure with a simple origin-focused attack.
Case Study: The $2M Outage
A fintech company invested heavily in DDoS protection:
- Enterprise Cloudflare plan ($50K/year)
- AWS Shield Advanced ($36K/year)
- Dedicated security team (3 FTEs)
They still went down for 4 hours during a DDoS attack.
What happened? Attackers found an old IP address in historical DNS records. The origin server was an unprotected AWS EC2 instance. A 50 Gbps attack directly to the origin bypassed all their expensive protections.
Cost of the outage: $2M in lost transactions, plus regulatory scrutiny.
The Solution: Attack Surface Visibility
Protecting against DDoS isn't just about buying a CDN. It requires:
1. Complete Asset Discovery
You can't protect what you don't know exists. Every subdomain, every IP, every cloud resource needs to be inventoried.
Assets you know about: www.example.com
Assets attackers find: staging.example.com
api-internal.example.com
legacy.example.com
dev.example.com
mail.example.com2. Origin IP Protection
Once you know your attack surface, lock it down:
# Only allow CDN IPs to reach origin for ip in $(curl https://www.cloudflare.com/ips-v4); do iptables -A INPUT -p tcp -s $ip --dport 443 -j ACCEPT done iptables -A INPUT -p tcp --dport 443 -j DROP
3. Continuous Monitoring
Attack surfaces change. New subdomains get created. New services get deployed. What's protected today might be exposed tomorrow.
Action Items
If you have CDN protection, here's your checklist:
- Audit all subdomains for CDN coverage
- Check historical DNS records for your domains
- Review SSL certificate transparency logs
- Whitelist only CDN IPs at your origin
- Use Cloudflare Tunnel or authenticated origin pulls
- Set up monitoring for new subdomain creation
- Test your protections with origin-focused simulations
Conclusion
A CDN is a critical layer of DDoS protection—but it's not the complete picture. Without origin protection, you're paying for a shield that attackers can simply walk around.
The question isn't whether your CDN is good enough. The question is: can attackers find your origin?
If the answer is yes, your CDN investment might be worthless.
Discover Your True Attack Surface
DDactic helps organizations find hidden vulnerabilities and validate their DDoS protections before attackers do.
Get a Free Assessment