A website needs to be up & running at all times. In today's world, this means you need to be prepared for malicious attacks, possibly a DDoS attack, which is "an attempt to make a machine or network resource unavailable to its intended users ... One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable".
Using a CDN helps combat a DDoS attack. CDNs have many high-capacity servers, so they can handle the peak in requests much better than your servers could. Also, CDNs tend to be better prepared for DDoS attack mitigation, with experienced staff, technology and processes. Nevertheless, behind the CDN sits your own server(s), commonly known as the CDN origin, that serves content to the CDN when needed. The attackers might go after the origin server and if they bring that down the CDN will not be able to download content anymore and as a result not serve the content to your end users: your site is broken.
In this post I outline two options for protecting your CDN origin. Your goal is to only receive (and allow) requests from the CDN. Requests from everybody else must be prevented. Not countered, prevented.
IP rate limiting
One way to protect a server is to do IP rate limiting: only allow X number of requests from an IP address in a given timeframe. This will not work with a CDN because a CDN will do many valid requests from a small number of IP addresses and you want all of these to go through.
Another possible method for allowing only requests from your CDN is to whitelist the CDN. This should work well in theory, but in practice it is difficult to do effectively. You can whitelist IP addresses or some unique identifier in a request header.
Option A: whitelist IP addresses
The challenge with whitelisting on IP address is that you need to always have the IPs of all the CDN edge servers that may hit your origin. This is bound to fail. Many CDNs will not give you the list of IPs and if they do, it will surely happen that they add an IP address and forget to tell you.
Whitelist a unique identifier in a request header
The idea is simple: the CDN sends something unique in the requests to the origin that you can use on the origin to identify the CDN and allow the requests. You would have to ask your CDN provider about the possibilities in order to find out if this is a viable option for you. But, even if they support this, it is not bulletproof. Request headers can be freely set by attackers. If they know you use a certain CDN and they know how that CDN identifies itselt on the origin, they can easily spoof this.
Option B: unguessable origin hostname
This is a simple trick and it is also the best solution.
Create some random, long set of alphanumeric characters and use that as the subdomain.
This hostname will then be only known to the CDN, the owner of the origin and the origin's DNS provider(s). Can it be guessed? Yes, but highly unlikely. Can it leak? Yes, but again: highly unlikely.
Simply whitelist for requests that have this hostname in the HOST header and you're done.