Resilience and Security

We designed DistilledODN with security and resilience as a top priority from the outset. The system is engineered to be fast, robust, resilient and secure.

The FAQ section of the deck goes into more technical details and is designed to be shared with engineering and operations teams, but here we go an overview regarding resilience and security.

Resilience

DistilledODN operates in 3 AWS regions, two in the US and one in the EU.

DistilledODN is designed with multiple levels of resilience and failover in place. In each AWS region traffic is load balanced across an auto-scaling group of servers. At times of high load new servers are automatically provisioned to maintain a certain level of redundancy in platform capacity. Each server has squid installed and can fallback to being a transparent proxy in the event of an application error.

By default we configure the system to route around the ODN entirely in the unlikely case of catastrophic failure or complete outage of AWS across multiple availability zones and regions. This can happen almost instantly via Amazon’s Route53 service as well as at the CDN level for sustained outages. Under any of these circumstances your site stays up and available but without the ODN enhancements and tests.

Each of our 3 AWS regions has been load tested to traffic levels peaks of up to 9,000 requests per second per region, for a tested peak capacity of over 21,000 requests per second. Currently, we handle over 1.5 billion page views per month.

DistilledODN Performance Example

The graph above shows a load test of sustained 1500 requests per second to a 25kb page. The response time to return the page to the end user was 80ms (including fetching the page from the origin server and processing it for adaptations).

Security

DistilledODN is a mission-critical platform, and demands a high level of security. We approach security both at a user level and at a systems level. In particular:

  • All user accounts are protected with 2-factor authentication via Authy
  • User permissions can grant different powers to different team members - such as restricting the ability to publish changes to the preview or live environments for certain users
  • Our systems are hosted on AWS and employ strict security policies and best practices taking advantage of AWS security features
  • If your site’s connection to us is secure (HTTPS), then all connections between servers and to the origin will be secured end-to-end using TLS
  • We do not store PII (Personally identifiable information) of your website visitors - simply passing information through to your servers
  • We are fully PCI compliant and can provide our Attestation of Compliance (AoC) upon request

We work with a third-party penetration testing company, Lift Security, who have not discovered any serious problems during their penetration testing. We can provide the most recent report on request.

Bug Bounty

We encourage responsible disclosure of security vulnerabilities via our bug bounty program. You can contact us at security@distilledodn.com to report a security vulnerability.

Responsible disclosure means:

  • Providing us a reasonable amount of time to fix the issue before disclosing publicly
  • Making a good faith effort not to cause harm to Distilled systems or user data
  • Not affecting Distilled customers’ access to ODN or their website uptime or performance in the process of discovery

In order to encourage responsible disclosure, we will not bring legal action against researchers who point out a problem provided they have followed these guidelines.

Rewards

The minimum payout is $100 and Distilled branded swag for reporting a new security vulnerability which results in us making a code or configuration change. We will use our discretion to reward researchers appropriately - biasing towards higher rewards for reports that affect the integrity or uptime of our customers’ websites.

Eligibility

All services comprising DistilledODN are eligible - including this website (but not other Distilled sites or sub-domains, such as www.distilled.net), the management app, and the proxy service itself. Distilled services and properties not relating to DistilledODN are excluded.

The following would not meet the threshold for consideration:

  • Distributed Denial of Service (DDoS)
  • Social engineering attacks against Distilled employees or contractors, or against our customers
  • Reports from automated tools or scans without accompanying demonstration of exploitability.

Get a demo

If you're interested in a short demo, please fill in this form and one of the ODN team will ping you an email.

Alternatively, if you have any other questions, feel free to drop us a line at contact@distilledodn.com or check out our FAQ page and deck.