DDoS mitigation service / CDN
Demonstrate that the organization has deployed and correctly configured DDoS mitigation or CDN services to protect Internet-facing assets from availability disruptions caused by volumetric, protocol-based, and application-layer attacks.
Description
What this control does
DDoS mitigation services and Content Delivery Networks (CDNs) absorb and filter volumetric, protocol, and application-layer distributed denial-of-service attacks before they reach origin infrastructure. These services operate at the network edge, typically using anycast routing, large-scale bandwidth capacity, and behavioral analysis to distinguish legitimate traffic from attack traffic. By distributing content geographically and maintaining upstream filtering capacity that exceeds an organization's own connectivity, these services ensure availability during attack conditions that would otherwise saturate links or exhaust compute resources.
Control objective
What auditing this proves
Demonstrate that the organization has deployed and correctly configured DDoS mitigation or CDN services to protect Internet-facing assets from availability disruptions caused by volumetric, protocol-based, and application-layer attacks.
Associated risks
Risks this control addresses
- Volumetric attacks (UDP/ICMP floods, DNS amplification) saturate Internet connectivity and render services unreachable
- SYN floods and other protocol attacks exhaust firewall and load balancer connection tables, causing service degradation
- Application-layer attacks (HTTP floods, Slowloris) bypass network-layer defenses and exhaust web server resources
- Unprotected origin server IP addresses become direct attack targets if exposed or leaked through DNS history or misconfigurations
- DDoS extortion campaigns disrupt operations and cause reputational damage during prolonged outages
- Insufficient mitigation capacity or misconfigured rate limits allow attacks to bypass protections and impact availability
- Lack of automated failover or always-on protection delays response during active attacks, extending downtime
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain and review the current inventory of Internet-facing applications, services, and IP addresses protected by DDoS mitigation or CDN services.
- Review the service contract or statement of work to confirm mitigation capacity (Gbps/Mpps), SLA commitments, and scope of coverage (network-layer, transport-layer, application-layer).
- Examine DNS records for in-scope domains to verify traffic is routed through the mitigation service and origin IP addresses are not directly exposed.
- Review the DDoS mitigation service configuration console or API exports to confirm protection policies, rate limits, traffic filtering rules, and challenge mechanisms are enabled.
- Verify that origin infrastructure uses IP allowlisting, authentication tokens, or other controls to reject traffic not originating from the mitigation service.
- Examine logs or dashboards from the past 90 days to identify detected and mitigated attack events, confirming the service is actively filtering threats.
- Review change management records for recent modifications to mitigation policies, origin whitelists, or service routing configurations.
- Interview technical staff to confirm runbook procedures for escalating incidents to the DDoS mitigation vendor and validating service health during attacks.