[alexkon]

Can you elaborate on Fastly exposing the origin servers to DDoS? Is there a link to learn more about that?

[tedivm]

The Fastly "Purge API" by default does not require authentication. This is why you can clear the cache on Github pages directly [1].

From there you can force requests to hit the origin server by first purging the data from the cache and then requesting it.

Unrelated to DDoS I've also seen issues with the Fastly routing- it doesn't always pick the greatest end node to have a client connect to.

[1] https://stackoverflow.com/questions/26898052/how-to-force-im...

[greenleafjacob]

For what it’s worth I think with custom VCL you could add your own shared key / password authentication to fix this by returning a synthetic 403 if the shared key isn’t present in a header.