Many engineering teams assume their CDN provides DDoS protection. In limited scenarios, it does — a CDN can absorb a volumetric attack against a cacheable resource if its capacity exceeds the attack volume. But that's a narrow use case, not a security guarantee.
What CDNs Are Optimized For
- Geographic distribution of cached content.
- Reducing origin load and bandwidth costs.
- TLS termination and HTTP/2 support.
- Edge routing to the nearest point of presence.
Where CDNs Fall Short in Attacks
- Cache-busting attacks: a single cache-busting URL parameter causes every request to miss the cache and hit your origin.
- L7 attacks against uncacheable endpoints: APIs, authenticated pages, checkout flows are never cached.
- Attack volume exceeding CDN capacity: CDNs aren't rated for sustained multi-terabit attacks.
- Origin IP exposure: most CDNs don't enforce origin IP privacy — your servers remain reachable directly.
The Right Architecture
Use a CDN for performance — content distribution, caching, edge delivery. Use dedicated DDoS protection (like Akarguard) for security — attack absorption, scrubbing, behavioral detection, and origin IP protection. Both can coexist: route traffic through Akarguard's proxy, which then forwards clean traffic to your CDN origin.