Last updated: May 1, 2026
A CDN started as a content-acceleration play in the 1990s. By 2026 it is also the DDoS shield, the WAF, the bot-mitigation layer, and increasingly the identity-aware proxy in front of your origin. This module walks the architecture, the categories of DDoS attacks, the modern provider landscape, and how an Indian enterprise should size its DDoS posture under DPDP, RBI, SEBI, and IRDAI scrutiny.
CDN architecture — anycast, edge caching, and the origin shield
A CDN runs hundreds of edge data centres globally. Anycast announces the same IP from every edge location; BGP routes each user to the topologically closest one. The user-facing IP is the CDN’s; the origin (your real server) is hidden.
Edge cachingstatic content (CSS, JS, images, video) is cached at edges with TTLs set by HTTP cache headers. Dynamic content (HTML, API responses) increasingly cacheable at the edge too via cache-keys and stale-while-revalidate.
Origin shielda single intermediate cache between edges and origin reduces origin load when a popular asset is requested across many edges.
Implications for securityyour origin IP must remain confidential — direct connections bypass the CDN. Egress IPs of the CDN must be allow-listed at origin (Cloudflare publishes IP ranges; AWS CloudFront publishes ranges; etc.). Cert pinning between CDN and origin (mTLS via Cloudflare’s “Authenticated Origin Pulls”) makes CDN-bypass infeasible for an attacker.
DDoS — the four categories and their countermeasures
Volumetric (Layer 3/4)amplification attacks (DNS, NTP, memcached) and IoT botnets (Mirai successors) flood with hundreds of Gbps to terabits. Defended by anycast capacity (the bigger the network, the more it absorbs) and BGP Flowspec / scrubbing centres. The 2.5 Tbps attack on Google in 2022, 26 Mrps on Cloudflare 2023, the 7.3 Tbps on Microsoft 2024 — public records of how this category keeps escalating.
ProtocolSYN floods, ACK floods, fragmented packet attacks targeting state-tables. Defended by SYN cookies, connection rate limits, stateful firewalls scaled appropriately.
Application (Layer 7)HTTP floods of computationally expensive endpoints (search, login). Defended by rate limits, JS-challenge, CAPTCHA, behavioural bot-fingerprinting.
Bot/credentialdistributed credential-stuffing, scraping, click-fraud. Defended by bot-management products (Cloudflare Bot Management, Akamai Bot Manager, Datadome, hCaptcha, Arkose).
The modern provider landscape — who does what well
Cloudflare — strongest at L7 + bot management + Workers (edge compute); the default for SaaS and developer-tier customers; Indian PoP coverage strong. Akamai — strongest at large-enterprise content delivery + scrubbing for largest attacks; legacy of bank/government deployments; multiple Indian sites. AWS CloudFront + Shield Advanced — best fit if your origin is AWS; integrated with WAF + Route 53; Shield Advanced is the upgrade for DDoS response. Fastly — developer-friendly, programmable VCL, strong real-time analytics. Imperva — strong WAF + DDoS heritage, common in BFSI.
Indian providersSify, Tata Communications, Airtel offer scrubbing services, often paired with on-prem appliance solutions; useful for specific sovereignty / latency requirements but absorbing capacity is generally smaller than the global majors.
Choosingcombine a global CDN/DDoS provider with a regional scrubbing partner if your business demands strict India sovereignty.
WAF rules — defence-in-depth at the edge
The CDN edge is the natural home for WAF rules: every request flows through it, latency is low (rules execute at the same PoP), and rules can be updated globally in seconds.
What modern edge WAFs dosignature-based (OWASP CRS or vendor-managed), behavioural (rate limit per IP / cookie / fingerprint), reputation-based (block known-bad IPs from threat-intel), virtual patching (block specific exploit patterns for unpatched apps), bot management (JS challenge, behavioural fingerprinting).
Tuningdeploy in monitor mode for 30-60 days; review false positives daily; promote rules to enforce as confidence grows.
Attack surface visibilityWAF logs are gold for security operations — every blocked attempt becomes a signal of attacker reconnaissance. Pipe WAF logs to your SIEM with the same enthusiasm as authentication logs.
Bot management — the post-WAF battleground
Once basic WAF rules are in place, sophisticated attackers shift to bots that look like browsers. Bot management defends against credential stuffing, scraping, fake account creation, ticket scalping, click fraud.
Detection signalsTLS fingerprint (JA3/JA4), HTTP/2 settings fingerprint, browser canvas fingerprints, mouse/touch behaviour, IP reputation, ASN clustering, login-velocity patterns.
Vendor approachesCloudflare Bot Management uses ML-trained signal blends; Datadome operates similarly; hCaptcha and Arkose offer interactive challenges; Imperva Advanced Bot Protection blends signature + behavioural.
Operational realitybot management requires tuning (legitimate API clients, mobile apps, payment processor health-checks all look bot-like). Plan for an ops cycle of false-positive tuning, allowlists for known partners, and explicit monitoring of “blocked legitimate traffic”.
Origin protection — the missing piece
A CDN protects what flows through it. Direct connections to the origin IP bypass everything. Origin protection patterns:
Indian context — DPDP, RBI, BFSI considerations
Several Indian regulators expect specific CDN/DDoS practices: RBI Cyber Security Framework (Annex 1) and SEBI CSCRF expect “DDoS protection” with documented response procedures. BFSI typically requires either premium provider (Akamai Prolexic, Cloudflare Magic Transit, AWS Shield Advanced) or bilateral arrangement with ISP for emergency scrubbing.
DPDP / data residencyedge caching of user data triggers data-residency questions — most major CDNs operate Indian PoPs (Cloudflare in 5+ Indian cities, Akamai 10+); ensure cached PII does not leave India unless your privacy notice covers it.
CERT-In 2022 directivelog retention requirements apply to CDN/DDoS providers serving Indian users; verify your provider can meet your retention SLA.
Service-availability obligations99.9%+ uptime is now table-stakes for fintech; CDN selection meaningfully impacts availability KPIs.
Magic Transit, BGP-on-demand, and L3 protection
Pure CDN protects what flows through HTTP. For non-HTTP services (gaming servers, custom protocols, DNS auth servers), CDN is not an answer. Cloudflare Magic Transit, Akamai Prolexic, AWS Shield + Global Accelerator offer L3 BGP-based protection: announce your IPs from the provider’s anycast network; legitimate traffic flows through; DDoS is filtered at scale.
How it worksBGP magic — your provider announces your prefix more specifically (or you announce only via them) so all traffic to your IPs hits their scrubbing infrastructure first. They forward clean traffic to you over a tunnel (GRE, IPsec, or direct fibre).
When to considerbusiness depends on non-HTTP services or your origin handles >100 Gbps and needs anycast scale.
Costsubstantial — typical pricing is per-Gbps committed plus per-event surcharges.
For Indian BFSIpayment processors and exchanges with non-HTTP protocol interfaces (FIX, ISO 8583) are the typical use case.
Bot operators and the cat-and-mouse — what real attacks look like
Modern bot operators are sophisticated: residential-IP proxy networks (Bright Data, Smart Proxy) launder requests through real consumer ISPs, defeating IP reputation. Browser fingerprinting evasion uses headless Chrome with anti-detection patches. Session simulation includes mouse movements and dwell times. Defenders respond with TLS-fingerprinting (JA3/JA4), HTTP/2 fingerprinting, behavioural ML scoring (account aging, transaction velocity), and challenge-response tests that escalate when scores cross thresholds.
The reality for Indian e-commerce, ticketing, and BFSIa sustained adversary with budget will eventually get through; the goal is to make it expensive enough that they go elsewhere. The metric that matters: cost per successful malicious transaction. If your defences make it cost the attacker more than the value extracted, you have economic security; if not, you do not.
DDoS playbook — what to do in the first 30 minutes
When a DDoS hits, calm execution beats panic. Pre-built playbook:
Minute 0-5confirm DDoS (legitimate traffic spike vs malicious). Look at request patterns — even distribution across geos = DDoS, single popular link causing legitimate spike = success. Open the war room channel (Slack/Teams), bring in SRE + security + comms.
Minute 5-15enable provider DDoS mitigation (Cloudflare “Under Attack” mode, Akamai engage Prolexic team, AWS Shield Response). Activate WAF rules at provider edge — rate limits, bot challenge, geo-block if appropriate.
Minute 15-25coordinate with upstream — for L3 attacks beyond CDN, BGP withdraw + announce more-specific via scrubbing partner. Open ticket with ISP for upstream rate-limiting.
Minute 25-30external comms — status page update, social media, customer notifications. Internal — exec briefing, customer success heads-up.
Throughoutlog everything; preserve evidence; capture attacker patterns for post-incident analysis.
For Indian BFSI under regulatory scrutinythe 6-hour RBI material-incident reporting clock starts when business impact is material; document the start time accurately.
CDN purchase decision — what the procurement document should ask
When evaluating CDN/DDoS providers, the technical bake-off is half the work; the contracts and SLAs are the other half. Questions every procurement should answer:
Diagrams
User (Mumbai) User (Bengaluru) User (Delhi)
│ │ │
▼ (anycast → nearest) ▼ ▼
┌─────────┐ ┌─────────┐ ┌─────────┐
│ Edge BOM│ │ Edge BLR│ │ Edge DEL│
└────┬────┘ └────┬────┘ └────┬────┘
│ cache miss ──────┐ │ cache miss ─────┐ │ cache miss
▼ ▼ ▼ ▼ ▼
┌──────────────────────────────────────┐
│ Origin Shield (single mid-cache) │
└────────────────┬─────────────────────┘
│ cache miss
▼
┌──────────────────────────────────────┐
│ Origin server (your infrastructure) │
│ firewall: allow only CDN IP ranges │
│ mTLS: only requests with CDN cert │
└──────────────────────────────────────┘
L3/L4 volumetric │ Anycast capacity, BGP flowspec, scrubbing (DNS amp, UDP) │ ────────────────────┼───────────────────────────────────────── Protocol attacks │ SYN cookies, conn rate limits, stateful FW (SYN flood) │ ────────────────────┼───────────────────────────────────────── L7 application │ Rate limit, JS challenge, CAPTCHA (HTTP flood) │ ────────────────────┼───────────────────────────────────────── Bot / credential │ Bot management, fingerprinting, ML scoring (creds stuffing) │
References & deeper reading
- Cloudflare DDoS protection
- Akamai Prolexic
- AWS Shield Advanced
- OWASP Core Rule Set (CRS)
- JA3/JA4 fingerprinting
- BGP Flowspec (RFC 8955)
- CERT-In 2022 directive
FAQ
Do small companies need DDoS protection?
In 2026, yes — minimum a Cloudflare-style free or low-cost CDN that absorbs L3/L4 attacks. Determined attackers will bypass anyway, but the random-script-kid floor is now too high to leave unprotected. The right framing: DDoS protection is a basic operational hygiene, not a luxury.
How big a DDoS can my provider absorb?
Cloudflare and Akamai publish multi-Tbps absorption capacity. AWS Shield Advanced + CloudFront similar. Most small/mid CDNs publish 1-2 Tbps. The right question is not just total capacity but “what happens during a sustained attack” — premium tiers buy you human DDoS response, not just automated mitigation.
Should I run my own scrubbing or use a provider?
For 99.9% of organisations, use a provider. On-prem scrubbing requires multi-Gbps capacity, BGP peering with upstream ISPs, 24/7 ops. Only the largest banks, telcos, and government infrastructure operate their own; everyone else gets better outcomes from a managed provider.
How do I prevent my origin IP from leaking?
Audit historical DNS records (Shodan, securitytrails.com), audit mail server IPs (sometimes published in MX), audit error pages (some leak server hostname), audit any non-CDN-fronted services on the same IP. Move every public service behind the CDN; use separate IPs for any non-CDN service.
Is bot management worth the cost for a small site?
For login pages and signup forms, yes — credential stuffing affects every site eventually. The free tier of Cloudflare’s Bot Fight Mode + a strong password policy + breach-list checking covers most small sites. Premium bot management is justified when your business directly suffers from scraping (price comparison, content theft) or fraud (loyalty programmes, ticketing).
How do I know if I am being scraped?
Multiple signals: unusual traffic from data-centre ASNs, non-browser User-Agents, request patterns hitting paginated endpoints sequentially, depleting account-creation quotas. Most CDN/bot-management products surface these in dashboards. For SOCs without a bot-management product, log analysis on web access logs catches a lot.
Should I use Cloudflare's free tier?
For small sites and personal projects, yes — the free tier provides surprising value (anycast CDN, basic DDoS protection, free TLS, basic WAF). For commercial sites, the Pro/Business tiers add WAF rules, advanced bot protection, and SLA. Larger BFSI typically need Enterprise + dedicated POPs.
⚖️ Legal: Use any techniques described here only on networks you own or have explicit written authorisation to test. In India, unauthorised access is punishable under IT Act §66 (up to 3 years + fine). Pair offensive testing with a signed Statement of Work / Rules of Engagement; pair forensic activity with §65B-aligned chain of custody.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.