A Security Orchestration System for CDN Edge Servers

A Content Delivery Network (CDN) employs edge-servers caching content close to end-users to provide high Quality of Service (QoS) in serving digital content. Attacks against edge-servers are known to cause QoS degradation and disruption in serving end-users. Protecting edge-servers is vital but represents a complex task. Not only must the attack mitigation be immediately effective, but the corresponding overhead should also not negatively affect the QoS of legitimate users. We propose a software-based security system for CDN edge-servers to mitigate various attacks. The approach is to automatically react to threats by deploying and managing security services. These security services are realized using virtualized security function chains created, configured, and removed dynamically. The desired system behavior is governed by high-level security policies dictated by a network operator. We demonstrate how our system can be programmed using these policies to automatically handle real-world attacks. Our performance evaluation shows that our system is low-overhead, immediately responds to threats, and quickly recovers legitimate traffic throughput.