Denial of service (DoS) attacks continue to be a daunting challenge for service providers on the Internet. Recent work on countering these attacks has focused primarily on attacks at a single server location or on network resources. Increasingly, however, high-volume sites are distributed using content distribution networks (CDNs). In this paper, we develop two mechanisms to deter DoS attacks against CDN-hosted Web sites and CDN infrastructure servers. First, we propose a novel CDN request routing algorithm which allows CDN servers to effectively distinguish attack traffic from legitimate requests. Our scheme, based on a keyed hash function, significantly improves the resilience of CDNs to DoS attacks. Second, we introduce several site allocation algorithms based on binary codes which insure that an attack on one hosted Web site will have a limited impact on other hosted sites. Our scheme guarantees that a specified minimum number of servers remain available for other sites even when the intended victim is successfully attacked. Together, our schemes significantly improve the resilience of CDN-hosted Web sites, and complement other work on countering DoS and distributed DoS attacks.