Authored by: to Peter Löfling, General Manager APAC, Varnish Software.
While not classified as a traditional cybersecurity method, origin shielding is a practice that lets you protect your origin server(s) from overload, ensuring high availability, performance uptime, while getting an extra layer of security thrown into the mix almost without even trying.
Origin shielding can help mitigate the effects of both malicious and non-malicious traffic overloads and DDoS attacks, meaning that origin protection can play an important role in the overall security picture without being exclusively a security feature.
What is an origin shield?
An origin shield is an extra caching layer between your origin server(s) and your CDN edge servers. One of the worst things you can experience in delivering content is a total server outage with no redundancy or backup. Usually this shouldn’t happen, but in high-traffic events where unheard-of peaks are hit, you need to have measures in place to protect your origin at all costs.
At a basic level, origin shields deliver this extra caching layer to provide extra protection and performance. But what does an origin shield do in a more complex setup, for example, with multiple CDNs? Essentially, then too, the origin-protect technology kicks into gear to ensure optimal performance within the multi-CDN arrangement. That is, sometimes a CDN has a “bad day” and other CDNs within the multi-CDN setup can be relied on to shield underperforming servers.
How does an origin shield work?
Fundamentally, an origin shield reduces the number of calls to your origin server by designating a proxy/cache point of presence (PoP) as the “collection point” for incoming requests that are not already in cache. Instead of being overwhelmed by hundreds or millions of incoming individual requests, your origin server receives only the request from the designated PoP, which then caches and serves the content itself. This increases your cache-hit efficiency, and lets you serve content faster and more efficiently, and keeps your site running smoothly (no downtime at origin).
The same principle is at work in the multi-CDN case. One of the caching PoPs you’ve set up will be the primary CDN within the multi-CDN configuration and will continue to send a single request to the origin for content not in cache. This PoP then shares that content with the other CDNs in the configuration.
When should origin shielding be used?
Origin shielding is never a bad idea because you never want to leave the user experience to chance. But origin shielding is essential in certain high-performance use cases in which users are expecting a certain level of service and in which multi-CDN setups are the norm. For example, live video streaming, video on demand (VoD) and applications like gaming updates (large, time-consuming files to update).
What benefits does origin shielding offer?
Protection for the origin against traffic overloads, maintaining high availability and redundancy in your setup
Reduction of risk from and protection against intentional DDoS and unintentional DDoS-like attacks
Enjoy an extra layer of security at no additional cost or effort
Enhance content delivery performance -- faster and more reliable, thanks to better cache efficiency
Resilience for secure, high-performance for both single and multi-CDN setups