CloudFlare Alternatives & Multi-CDN Options for DDoS Protection

Have you wondered what content delivery network (CDN) options exist beyond Cloudflare? Cloudflare provides an important service combining DDoS protection and site acceleration for many webmasters, and if their generous free tier never existed, many webmasters may have never considered using any CDN service at all. We also have to credit CloudFlare for encouraging many of the 19 million websites on their platform to adopt HTTPS, although their flexible SSL setting was controversial.

On the other hand, Cloudflare has arguably become a “choke point” in the Internet with 5-10% of global Internet traffic passing through its service. As a military network borne out of DARPA in the 1950s, the Internet was designed to be a decentralized network that can route around damaged network routes and nodes.

The implication of Cloudflare handling so much of global Internet traffic means when Cloudflare goes down due to a DDoS attack or misconfiguration, it takes much of the Internet down along with it. Network architects would describe using Cloudflare, or any single CDN, as a single point of failure.

There are multi-CDN setups where a DNS service like Route 53 is used to load balance traffic across multiple CDNs with customizable rules (e.g. geography), and take a CDN out of the rotation if it fails. For the average website, to not be able to scale the compute resources quickly enough for a traffic burst, is far more likely than a CDN outage.

Citrix Intelligent Traffic Management, formerly known as Cedexis, is a CDN aggregator which combines the services of multiple CDNs into one, which is another option for mission-critical services. Cedexis pricing started at $200/mo on the AWS Marketplace, but now you have to contact sales for a quote. mlytics is another up-and-coming multi-CDN provider offering plans starting from $10/mo bundling Cloudflare, Alibaba Cloud (for China), and CloudFront.

There are numerous CDNs out there, including Akamai, Imperva, StackPath (formerly MaxCDN), or Securi, among others offered by telcos and cloud providers. Some focus on content acceleration, while others have an emphasis on DDoS mitigation and attack blocking through  Web Application Firewall (WAF) features.

AWS CloudFront is the competing service to Cloudflare we’ll take a look at in this article. If you’re currently using Cloudflare but thought about switching or adding another CDN service to the mix, here is what you need to know about AWS CloudFront.

Like other AWS services, CloudFront works best if your resources are hosted within AWS, such as on S3 or EC2 (behind an ELB). The lowest cost way to use CloudFront is serving static content stored in a public S3 bucket. You only pay for the data transfer out, plus a fee for every 10,000 HTTP requests. If the resources are being hosted on EC2, you need to provision an ELB to attach to the CloudFront distribution as an origin.

Similar to CloudFlare, AWS CloudFront masks the IP address of the origin server if it’s in EC2, making it more difficult for attackers to circumvent the CDN. You don’t need to change the authoritative nameservers for your domain (at your registrar) to Route 53, whereas CloudFlare requires domains on its Free Plan to use its nameservers.

If using AWS CloudFront with EC2, the backend traffic between the CDN and origin servers travels entirely within the AWS-owned network, so you would simply install an SSL certificate on CloudFront and the ELB, while allowing the web server to listen on port 80.

CloudFront makes configuring SSL really simple, because you can use Certificate Manager to get a free Amazon-issued SSL certificate, or upload an existing certificate. Using the Amazon certificate, the edge server can negotiate a secure TLS connection with the ELB, which proxies the connection to EC2. Compared to CloudFlare’s free SSL certificate, the Amazon SSL certificate is issued exclusively for your domain, and not shared.

A major drawback of CloudFront arises if your server is not hosted within AWS, but instead with another hosting provider. CloudFront requires a publicly resolvable domain name, for example cdn.example.com, as the Origin Domain Name when setting up your CloudFront distribution. The origin domain name must be pointed directly at your web server using an A record, therefore revealing your server’s true IP address in the public DNS zone.

Although you could setup firewall rules on the non-AWS hosting provider (e.g. DigitalOcean Cloud Firewall or UpCloud firewall) to accept only HTTP/HTTPS traffic from the CloudFront IP ranges, your resilience against DDoS attacks is only as good as the requests per second the firewall that you choose can filter.

Then, you add the domain you want your visitors to see in the address bar as an Alternate Domain Name in CloudFront, usually www.example.com, then add a CNAME record for this hostname to the assigned *.cloudfront.net address. Unless your DNS provider supports DNS flattening at the Apex, you cannot CNAME example.com to the CloudFront address. If your website has always been using non-www addresses, switching to www to implement CloudFront will damage your SEO at least temporarily.

Using CloudFront means you get Amazon’s DDoS protection called AWS Shield Standard free-of-charge. Considering the size of Amazon’s infrastructure, AWS’ network undoubtedly has much more bandwidth capacity than an average hosting company. While other providers would null-route you at the first sign of any attack, you can keep your website up on AWS if you can afford the bandwidth charges and increased resource usage.

Upgrading to Amazon’s paid tier, AWS Shield Advanced costs $3,000/mo + Business/Enterprise support plan, where AWS engineers will work with you directly to mitigate an attack. The AWS Shield Advanced comes with “DDoS Cost Protection for Scaling” which means if you need to auto scale to keep your services running against a DDoS attack, Amazon will pick up the tab.

Unlike Cloudflare’s paid plans starting at $20/mo for unlimited usage, CloudFront doesn’t include a Web Application Firewall (WAF) unless you add an ACL to your CloudFront distribution. The Amazon WAF costs $5/mo + $1/rule + $0.60/1 million web requests. The WAF can detect typical attacks that try to brute force or exploit common web applications such as WordPress, and you can make custom rules, for example to rate limit clients.

AWS CloudFront Network Map - July 2019
AWS CloudFront Network Map – July 2019

We think Cloudflare still remains the leading CDN and DDoS mitigation solution for SMEs. Nothing beats free, and the $20/mo upgrade to the Pro plan for WAF, including unlimited bandwidth keeps things simple — without fear of overage charges. AWS CloudFront is among the fastest CDNs with multiple PoPs focusing on major population centers: 187 points of presence in 69 cities across 30 countries. On the other hand, Cloudflare has a bigger global footprint with datacenters spanning 180 cities in the world. If the rest of your cloud infrastructure lives in AWS, you can hardly go wrong with using CloudFront to accelerate content delivery. The included AWS Shield works particularly well when you use all-AWS services including EC2, ELB, CloudFront, and Route 53, as the built-in DDoS protection can defend you against DNS attacks in addition to conventional TCP floods or deflection attacks against your servers. Cloudflare is a much more attractive option if you’re hosting with one of the independent cloud providers as you can completely hide your origin IP address and serve your website from the bare domain (example.com instead of www.example.com).