Reverse proxies

A reverse proxy is a server that sits between an origin server and its clients, to protect the origin server and improve performance, amongst other reasons. They’re more commonly known as Content Delivery Networks (CDNs) or Load Balancers (LBs) but, in the context of DDoS mitigation, we’re specifically interested in their capacity as reverse proxies.

Diagram of a reverse proxy

Reverse proxies are essential, but not sufficient, to mitigate DDoS attacks. All server-side apps, except for peer-to-peer ones, can benefit from such proxies.

It’s crucial to make the origin server inaccessible from the Internet to prevent attackers from bypassing the proxy. In case this isn’t possible, protect the origin server with a firewall that only allows proxy traffic and set the origin server’s URL to be difficult to guess.

Types

Reverse proxies are mainly classified by the highest layer that they protect. The more layers it covers, the more effective the proxy can be at mitigating DDoS attacks.

As a reminder, the following diagram shows the different layers of the Internet Protocol (IP) model using HTTP as an example:

The IP model layers, using HTTP as an example

Internet layer proxy

These proxies protect the internet layer from volumetric attacks, primarily by absorbing the attack traffic. They achieve this by overprovisioning bandwidth and employing anycast IP routing and BGP Flowspec, amongst other techniques and technologies. The malicious traffic never reaches the origin server.

Internet layer proxies are typically called network layer proxies, layer 3 proxies or L3 proxies, in reference to the OSI model.

When shopping for an internet layer proxy, it’s important to ensure that it offers unmetered inbound traffic.

We strongly recommend cloud-based internet layer proxies, as they’re specifically designed to absorb large DDoS attacks, unlike a comparable service from ISPs (typically called clean pipe). Cloud-based internet layer proxies tend to be bundled with transport layer proxies.

Transport layer proxy

These proxies protect the transport layer from protocol attacks by filtering traffic based on the transport layer protocol. Like internet layer proxies, they shield the origin server from the attack traffic.

Transport layer proxies are often called layer 4 proxies or L4 proxies, in reference to the OSI model.

These proxies can offer the following DDoS-related features:

Firewall to block traffic based on the client’s IP address or other properties derived from it (e.g. its country, whether it’s a known Tor node).
IP reputation to block traffic from known bad IP addresses, or to verify that a suspicious user is human. See also client reputation scoring.
IP-based rate limiting to throttle TCP connections or UDP datagrams from IP addresses that exceed a certain threshold. See also client-based rate limiting.
TLS termination to shield the origin server from exhaustion attacks, such as D(HE)at.

Application layer proxy

These extend transport layer proxies to also protect the application layer from application attacks, by filtering traffic based on the application layer protocol.

Application layer proxies are often called layer 7 proxies or L7 proxies, in reference to the OSI model. API gateways can be considered a sophisticated form of application layer proxy.

Virtually all such proxies are HTTP proxies, and they can offer the following DDoS-related features:

Web Application Firewall (WAF) to block malicious traffic based on the content of the HTTP request (e.g. user agent), and/or transport layer information (e.g. IP address). WAF policies can also be based on attack signatures, which can come from a database of attack patterns known to the provider, or identified with Machine Learning (ML) based on traffic analysis for each origin server.
IP-based rate limiting to throttle HTTP requests or WebSockets messages from IP addresses that exceed a certain threshold. See also client-based rate limiting.
HTTP caching to reduce the load on the origin server.
Authentication to block anonymous traffic by verifying Bearer tokens in the Authorization header, for example. This feature is more commonly offered by API gateways.
Programmatic access control to implement more sophisticated access control policies, which are typically enforced at the edge.

Self-hosted proxies

Self-hosted proxies can be viable alternatives to cloud-based solutions, but they require substantially more resources to set up and maintain.

Self-hosted transport layer proxies include:

HAProxy.
IPVS.

Self-hosted application layer proxies include:

When implementing self-hosted proxies, it’s crucial to implement distributed rate limiting mechanisms, to coordinate across multiple proxy instances.

Cloud-based proxies

As mentioned above, cloud-based proxies are the most effective at mitigating DDoS attacks. The following are the most popular providers of internet/transport and application layer proxies:

Akamai.
AWS: API Gateway, CloudFront (HTTP proxy), and Elastic Load Balancing. See also their best practices for DDoS mitigation and load balancing.
Azure Load Balancer. See also Azure DDoS Protection documentation.
Cloudflare.
Deflect.
Fastly.
Google Cloud Load Balancing. See also Google Cloud Armor, and its best practices.
Incapsula.
Netscout Arbor.

Vulnerable groups, such as journalists and human rights organisations, can apply for free services from Cloudflare, eQualitie and Google, for example.