Can CDN caching prevent DoS attacks?
Let's say I use Cloudflare to cache my images, CSS, and JS files. Requests for the HTML content itself still hit my server and an attacker could use that to his advantage.
However, if I tell Cloudflare to cache HTML as well, would a DoS attack be possible? If every single asset, including the HTML, is served by the CDN, my server wouldn't be bothered at all. No matter how much load the attacker throws, it would be handled by the CDN and wouldn't reach my server, thus making it immune to (D)DoS attacks. Is my theory correct?
Real visitors browsing your website will only request existing objects that can be cached and which will be served from the CDN caches as long as they don't expire.
For that kind of visitor your web server will only see the incidental request from the CDN revalidating or refreshing cached objects. And when the CDN caches haven't expired to those vistors your website will appear online even when your actual web server is not.
An attacker attempting to (D)DoS your website by requesting those valid resources won't achieve much either.
But rather than requesting actual content a malicious user can also generate random and unique URI requests.
Those URI's won't already be present in the CDN caches because they have never been requested before. Therefor the CDN will need to make a request to your webserver to load and start caching either the actual content on that URI or an error response.
Before the CDNs threshold levels are reached and DDoS protection kicks in and starts rate limiting or outright dropping such random URI requests, you can still expect to see quite a surge in requests being forwarded by the CDN and reaching your web server.
But those probably won't be enough to knock your server out.