Reverse proxies

A reverse proxy is a server that sits between an origin server and its clients, to protect the origin server and improve performance, amongst other reasons. They’re more commonly known as Content Delivery Networks (CDNs) or Load Balancers (LBs) but, in the context of DDoS mitigation, we’re specifically interested in their capacity as reverse proxies.

Diagram of a reverse proxy

Reverse proxies are essential, but not sufficient, to mitigate DDoS attacks. All server-side apps, except for peer-to-peer ones, can benefit from such proxies.

It’s crucial to make the origin server inaccessible from the Internet to prevent attackers from bypassing the proxy. In case this isn’t possible, protect the origin server with a firewall that only allows proxy traffic and set the origin server’s URL to be difficult to guess.

Types

Reverse proxies are mainly classified by the highest layer that they protect. The more layers it covers, the more effective the proxy can be at mitigating DDoS attacks.

As a reminder, the following diagram shows the different layers of the Internet Protocol (IP) model using HTTP as an example:

The IP model layers, using HTTP as an example

Internet layer proxy

These proxies protect the internet layer from volumetric attacks, primarily by absorbing the attack traffic. They achieve this by overprovisioning bandwidth and employing anycast IP routing and BGP Flowspec, amongst other techniques and technologies. The malicious traffic never reaches the origin server.

Internet layer proxies are typically called network layer proxies, layer 3 proxies or L3 proxies, in reference to the OSI model.

When shopping for an internet layer proxy, it’s important to ensure that it offers unmetered inbound traffic.

We strongly recommend cloud-based internet layer proxies, as they’re specifically designed to absorb large DDoS attacks, unlike a comparable service from ISPs (typically called clean pipe). Cloud-based internet layer proxies tend to be bundled with transport layer proxies.

Transport layer proxy

These proxies protect the transport layer from protocol attacks by filtering traffic based on the transport layer protocol. Like internet layer proxies, they shield the origin server from the attack traffic.

Transport layer proxies are often called layer 4 proxies or L4 proxies, in reference to the OSI model.

These proxies can offer the following DDoS-related features:

Firewall to block traffic based on the client’s IP address or other properties derived from it (e.g. its country, whether it’s a known Tor node).
TLS termination to shield the origin server from exhaustion attacks, such as D(HE)at.

Self-hosted transport layer proxies, such as HAProxy and IPVS, may be viable alternatives to cloud-based solutions, but they require substantially more resources to set up and maintain.

Application layer proxy

These extend transport layer proxies to also protect the application layer from application attacks, by filtering traffic based on the application layer protocol.

Application layer proxies are often called layer 7 proxies or L7 proxies, in reference to the OSI model. API gateways can be considered a sophisticated form of application layer proxy.

Virtually all such proxies are HTTP proxies, and they can offer the following DDoS-related features:

Web Application Firewall (WAF) to block malicious traffic based on the content of the HTTP request (e.g. user agent), and/or transport layer information (e.g. IP address). WAF policies can also be based on attack signatures, which can come from a database of attack patterns known to the provider, or identified with Machine Learning (ML) based on traffic analysis for each origin server.
IP reputation to block traffic from known bad IP addresses, or to verify that a suspicious user is human. See also client reputation scoring.
IP-based rate limiting to block traffic from IP addresses that exceed a certain threshold. See also client-based rate limiting.
HTTP caching to reduce the load on the origin server.
Authentication to block anonymous traffic by verifying Bearer tokens in the Authorization header, for example. This feature is more commonly offered by API gateways.
Programmatic access control to implement more sophisticated access control policies, which are typically enforced at the edge.

Self-hosted application layer proxies, such as Nginx and Traefik, may be viable alternatives to cloud-based solutions, but they require substantially more resources to set up and maintain.

Cloud-based proxies

As mentioned above, cloud-based proxies are the most effective at mitigating DDoS attacks. The following are the most popular providers of internet/transport and application layer proxies:

Akamai.
AWS: API Gateway, CloudFront (HTTP proxy), and Elastic Load Balancing. See also their best practices for DDoS mitigation and load balancing.
Azure Load Balancer. See also Azure DDoS Protection documentation.
Cloudflare.
Deflect.
Fastly.
Google Cloud Load Balancing. See also Google Cloud Armor, and its best practices.
Incapsula.
Netscout Arbor.

Vulnerable groups, such as journalists and human rights organisations, can apply for free services from Cloudflare, eQualitie and Google, for example.