Blog

Wednesday, September 30, 2015

When Your Content Delivery Network Is Bad For Your Website's Health

Here at FireDaemon we use CloudFlare to not only protect our web infrastructure from DDoS attacks but also to accelerate content delivery by virtue of CloudFlare's global CDN.

One of our customer's located in Kazakhstan contacted us recently saying they could no longer access our website as it was classified as a "Drug Cultivation" website. What was going on?! They advised that a recent court order had forced local Kazakhstan telecommunication companies to block a variety of drug cultivation and drug paraphernalia websites. A copy of the court order is below (and obviously in Russian). The offending website is listed on the bottom right.

Court Order

Well it didn't take long to figure out the problem. The offending website was also being served out of CloudFlare's CDN! Taking a look at the Name Server (NS) records it's clear that both sites DNS are delegated to CloudFlare:

dig NS offendingwebsite.com

;; ANSWER SECTION:
offendingwebsite.com. 86400 IN NS todd.ns.cloudflare.com.
offendingwebsite.com. 86400 IN NS pam.ns.cloudflare.com.

dig NS firedaemon.com

;; ANSWER SECTION:
firedaemon.com. 86400 IN NS logan.ns.cloudflare.com.
firedaemon.com. 86400 IN NS jessica.ns.cloudflare.com.


Then checking the CloudFlare served address (IN A) records for both websites:

dig www.offendingwebsite.com

;; QUESTION SECTION:
;www.offendingwebsite.com. IN A
;; ANSWER SECTION:
www.offendingwebsite.com. 300 IN A 162.159.241.199
www.offendingwebsite.com. 300 IN A 162.159.242.199

dig www.firedaemon.com

;; QUESTION SECTION:
;www.firedaemon.com. IN A
;; ANSWER SECTION:
www.firedaemon.com. 300 IN A 162.159.241.199
www.firedaemon.com. 300 IN A 162.159.242.199

As you can see the address records are identical. Clearly the blocking/filtering methodology by KazTelecomleaves a lot to be desired but the ramifications are obvious:

  • If you are using a CDN and if your website accidentally shares IP addresses with a banned website and the content filtering not only includes domain name but serving IP addresses then your site it going to get blocked
  • The blocking in this case is not at a company level but at a telco/nation wide level. This has the ramifications in terms of loss of business as potential customers can no longer access your site
  • There's the possibility of implicit association between our business and an illicit drug cultivation site leading to potential loss of reputation
  • If other bans are in place using similar filtering methodologies then you and your business might never know about it and see a drop in traffic. We only found out about this by virtue of the customer advising us.

We have contacted CloudFlare about the issue but have had no feedback yet. In the interim we have disabled CloudFlare across the firedaemon.com domain and deployed an alternate CDN technology. The main implication is that whilst Content Delivery Networks are highly beneficial they obviously have a side effect that they may penalise your website unduly by content accelerating not only your web site but other other less desirable websites leading to your website being mis-classified and blocked too.









Comments
Post has no comments.



Captcha Image

Recent Posts



Tags


Archive

    Sign up for Product Updates and Discounts
    Captcha Image
    ×