Get best of the week

Outgrowing reverse proxy - technology for remote protection and site optimization without changing DNS A-records



Over the past month, the average load on Internet resources has grown significantly due to the widespread transition to distance work and training (see exactly how to read our article “Pandemic and traffic - a view from the telecom operator . Online cinemas and games, online platforms are in great demand. ..? training services on request food delivery in such circumstances, the potential economic damage caused by the unavailability of the resource, including due to DDoS-attacks, especially high Which solution to choose to defend their project

in the material you will find:

  • Limitations of protection through the classic reverse proxy with the change of DNS A-records, which providers are often silent about.
  • Which solution should you choose to avoid the risks associated with these limitations?
  • A real case with the protection of a large project, without moving and changing A-records.
  • General recommendations for organizing the protection of the Internet resource.

So, first things first. You decided to protect your growing project from DDoS attacks. The basis of any protection is the analysis and filtering of incoming traffic. But in order to clear the traffic, it must first be delivered to the cleaning center. Hereinafter, under the “protection decision” we will mean a combination of technologies for the delivery and purification of traffic.

Most likely, the first solution that comes across to you will be based on reverse proxy technology with a change of DNS A-records. Therefore, first we will consider the principle of the technology, its capabilities (if you are familiar with reverse proxy - feel free to skip these two sections) and the restrictions associated with the delivery of traffic (this should not be skipped). Then we will show how these restrictions can be circumvented by the example of a real case. In the end, we will give some general recommendations on how to protect the Internet resource.

Reverse proxy - how it works


Here we look at reverse proxy as a means of delivering traffic. The scheme of her work is well known to everyone, but it is simply impossible not to mention it here.



  1. Changing DNS A-records - instead of the IP address of the web server, the IP address of the proxy server is indicated. Distribution of changes around the world (DNS propagation).
  2. The visitor OS requests the IP address corresponding to the domain name of the site (DNS resolution).
  3. The DNS server responds to the request by reporting the IP address of the proxy server.
  4. The visitor browser opens an HTTP (s) session and sends requests to the proxy server, which re-establishes a connection to the target web server and passes the requests to it.

Reverse proxy features


What opportunities provide solutions working through reverse proxy with A-record change?

  • Monitoring requests and protecting the site from attacks at the application level. The technology allows you to process each application-level request arriving at the target server.
  • Reduce the load on the target web server and speed up the site. On proxy servers, you can compress and cache data - this is the basis of the work of the Content Delivery Network (CDN).
  • Flexible load balancing between multiple target web servers. The technology allows you to distribute the load of processing requests between multiple machines. This improves system resiliency and performance.
  • Easy to connect. To enable protection, just change the DNS A-records and wait for the changes to take effect. Relocation, new hardware and software are not required.
  • Hiding the real IP address of the target web server. The visitor uses the IP address of the proxy server to contact, and they receive answers from it, which ensures the anonymity of the target web resource.

Reverse proxy restrictions


This technology has a number of pitfalls, which are not very customary to talk about. Its limitations include:

  • DDoS- - . IP- -, , DNS-. DDoS- .
  • IP-, . , IP- . IP- , IP .
  • / .  DNS (DNS propagation). , . DNS propagation TTL (Time to Live) DNS-, .
  • -, TCP-, 80 443. - , , UDP-, . .



The disadvantages of solutions for protection against DDoS attacks based on the “classic” Reverse Proxy are beginning to be felt as a growing project comes up against an increasing number of technology limitations. What technical solutions can level or significantly reduce the risks of site inaccessibility due to the listed disadvantages? - read below.

Outgrowing reverse proxy


Let's look at the problem with a real example from our practice. Last year, a large client contacted us with a specific list of requirements for protection services. We cannot disclose the name of the company for obvious reasons, but the needs of the client - please:

  • Protect sites from application-level attacks.
  • To remove part of the load from the target web servers and speed up the loading of sites - the client has a lot of static content, and he is interested in caching and compressing data on CDN nodes.
  • Provide protection against direct attacks on the IP address / network (protection against DDoS attacks at the L3-L4 OSI levels). 
  • Services must connect without changing the external IP addresses of the resources. The client has its own AS and address blocks.
  • Management of traffic processing services and switching to backup channels should take place in real time - the level of resource availability is critical for the client.

Solutions based on the “classic” reverse proxy with changing DNS A-records allow you to close the first two items from the list.

Services like secure hosting, virtual and dedicated servers allow you to protect yourself from attacks at the L3-L7 OSI levels, but require relocation and mean using a single security provider. What to do?

DDoS protection within the network with protected services


Installing filtering equipment in your network allows you to protect services at the L3-L7 OSI levels and freely manage filtering rules. You incur substantial capital (CaPex) and operating expenses (OpEx) by choosing this solution. These are expenses for:

  • traffic filtering equipment + software licenses (CapEx);
  • renewal of software licenses (OpEx);
  • full-time specialists for setting up equipment and monitoring its operation (OpEx); 
  • Internet access channels sufficient to receive attacks (CapEx + OpEx);
  • payment of incoming "junk" traffic (OpEx).

As a result, the effective price per megabit of untreated traffic becomes unreasonably high. In any case, the ability to filter traffic for such a solution will be lower than that of specialized providers. Moreover, in order to increase the speed of the site, one way or another will have to resort to the services of CDN providers. Of the advantages of the solution, it is worth noting that decrypted traffic does not leave the perimeter of the protected network. We will discuss this issue in more detail later.

Even for large companies, such a solution is often not economically feasible, not to mention medium and small businesses. It also did not suit our client.

Proxying without changing A records.


To meet the needs of such customers, we developed a technology for intercepting web traffic and implemented it as part of the remote protection service without changing A records. The solution is based on the principle: All connections between the client’s AS and public networks must be protected. The client sends us announcements of its IP addresses / networks via BGP, and we announce them on the Internet.



All traffic destined for protected resources passes through our network. The client can leave several backup connections and use them in case of unforeseen circumstances by removing the announcements from the DDoS-GUARD network. In normal mode, we recommend using only our connections to access the Internet, so that we can guarantee the protection of client services.

The diagram below shows how traffic processing in our network is organized using the example of web traffic.



  1. IP-, , L7. API
  2. . «» L3-4 OSI.
  3. . TCP 80 443 , HTTP , -, .
  4. - . .
  5. All traffic specified by the client IP addresses / domains is processed at the L7 level. Proxy servers filter traffic, optimize content and cache it.

Rules for networks and domains can be created independently of each other. When creating a rule for a domain, you do not need to specify the IP address of its web server. This approach allows not to make changes to the filtering rules when migrating domains between web servers within the protected network. At the client’s request, we can change the processing rules in such a way as to intercept traffic on any other ports.

Conclusion


Now let's check if the developed DDoS-GUARD solution satisfies the list of requirements from the section “Outgrowing reverse proxy”.

  • The client receives protection against attacks at the L3-L7 OSI levels.
  • Content is compressed and cached on the nodes of our CDN, which reduces the load on the target web servers.
  • Protection management takes place in real time. The client manages traffic filtering rules for subnets, IP addresses and individual domains through a personal account or API. Changes take effect within 1 minute. In an emergency, the client can redirect all traffic to bypass the DDoS-GUARD network simply by removing BGP announcements.
  • The IP addresses owned by the company have remained unchanged. The client does not need to purchase new equipment, software, hire additional staff and pay for untreated traffic.

In addition, it is possible to protect services and applications running on non-standard ports.

PS


General recommendations on how to protect your project:

  • , .. — MTU (Maximum Transmission Unit). MTU, , .. , ) .
  • — — , .
  • (), , , . DDoS «-», . , 100% , I II .
  • -, . , 100% , I II .

More articles:


All Articles