When Your CDN Is Bad For Your Website's Health
Here at FireDaemon we use CloudFlare to not only protect our web infrastructure from DDoS attacks but also to accelerate content delivery by virtue of CloudFlare's global Content Delivery Network (CDN).
One of our customer's located in Kazakhstan contacted us recently, saying they could no longer access our website as it was classified as a "Drug Cultivation" website. What was going on?! They advised that a recent court order had forced local Kazakhstan telecommunication companies to block a variety of drug cultivation and drug paraphernalia websites. A copy of the court order is below (and obviously in Russian). The offending website is listed on the bottom right.
It didn't take long to figure out the problem. The offending website was also being served out of CloudFlare's CDN! Taking a look at the Name Server (NS) records, it's clear that both sites' DNS is delegated to CloudFlare:
dig NS offendingwebsite.com ;; ANSWER SECTION: offendingwebsite.com. 86400 IN NS todd.ns.cloudflare.com. offendingwebsite.com. 86400 IN NS pam.ns.cloudflare.com. dig NS firedaemon.com ;; ANSWER SECTION: firedaemon.com. 86400 IN NS logan.ns.cloudflare.com. firedaemon.com. 86400 IN NS jessica.ns.cloudflare.com.
Checking the CloudFlare served address (IN A) records for both websites revealed:
dig www.offendingwebsite.com ;; QUESTION SECTION: ;www.offendingwebsite.com. IN A ;; ANSWER SECTION: www.offendingwebsite.com. 300 IN A 162.159.241.199 www.offendingwebsite.com. 300 IN A 162.159.242.199 dig www.firedaemon.com ;; QUESTION SECTION: ;www.firedaemon.com. IN A ;; ANSWER SECTION: www.firedaemon.com. 300 IN A 162.159.241.199 www.firedaemon.com. 300 IN A 162.159.242.199
As you can see the address records are identical. Clearly the blocking/filtering methodology by KazTelecom leaves a lot to be desired, but the ramifications are obvious:
- If you are using a CDN and if your website accidentally shares IP addresses with a banned website and the content filtering not only includes domain name but serving IP addresses, then your site is going to get blocked.
- The blocking, in this case, is not at a company level but at a telco/nationwide level. This has ramifications in terms of loss of business as potential customers can no longer access your site.
- There's the possibility of an implicit association between our business and an illicit drug cultivation site leading to potential loss of reputation.
- If other bans are in place using similar filtering methodologies, then you and your business might never know about it and see a drop in traffic. We only found out about this by virtue of the customer advising us.
We have contacted CloudFlare about the issue but have had no feedback yet. In the interim, we have disabled CloudFlare across the firedaemon.com domain and deployed an alternate CDN technology. The main implication is that whilst Content Delivery Networks are highly beneficial they obviously have aside effect that they may penalise your website unduly by content accelerating not only your website but other less desirable websites leading to your website being misclassified and blocked too.