A CDN Origin Pollution Incident

Preface

I was able to use CDN to accelerate access speed. Everything went smoothly after using CDN, until one day when I checked the CDN logs and found that the origin error rate had surged dramatically.

Analysis of the Cause

First, I accessed my own website and found that while the page could display, all styles and buttons were gone. When I opened the developer tools (F12), I saw many 403 errors. No wonder the origin error rate was so high.

Then I thought maybe the origin server was hacked. However, the origin server is also a static site, so there was no possibility of it being attacked. Direct access to the origin also showed it was normal.

At this point, I had already guessed it was a DNS pollution issue. That is, the origin address that the CDN server obtained was rewritten. To further verify my guess, I contacted the CDN provider. After their test, using virtual machines from various locations to access the origin, they found that the results were incorrect in certain provinces (redirected).

At this point, DNS pollution was confirmed.

Resolving the Issue

Since it was polluted, the solution was simple: just replace the origin domain with an unpolluted domain. Although there was still a risk of pollution, we could enable DNSSEC to prevent DNS pollution to some extent.