December 2025 15 min read Technical Deep-Dive

Understanding Modern DDoS Defense Architecture

A technical deep-dive into CDN, WAF, and origin protection layers

Introduction

This article provides a comprehensive technical overview of modern DDoS defense architecture. We'll examine each layer of protection, how they work together, and where the gaps typically exist.

Target audience: Security engineers, DevOps teams, and architects responsible for infrastructure resilience.

The Defense Stack

Modern DDoS protection consists of multiple layers, each addressing different attack vectors:

+-------------------------------------------------------------+ | INTERNET / ATTACKERS | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | LAYER 1: DNS & ANYCAST | | - GeoDNS routing | | - Anycast distribution | | - DNS-based load balancing | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | LAYER 2: EDGE / CDN | | - Global PoP network | | - DDoS absorption (volumetric) | | - TLS termination | | - Caching | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | LAYER 3: SCRUBBING CENTER | | - BGP-based traffic diversion | | - Volumetric attack absorption at edge PoPs | | - Always-on or on-demand activation | | - GRE tunnels return clean traffic to origin | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | LAYER 4: WAF / APPLICATION FIREWALL | | - L7 attack mitigation | | - Rate limiting | | - Bot detection | | - Custom rules | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | LAYER 5: LOAD BALANCER | | - Health checks | | - Traffic distribution | | - Session persistence | | - Connection pooling | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | LAYER 6: ORIGIN / APPLICATION | | - Application logic | | - Database | | - Internal services | +-------------------------------------------------------------+

1 DNS & Anycast

DNS is the first line of defense. Modern architectures use GeoDNS to return different IP addresses based on client location, and Anycast where multiple servers share the same IP address.

Query: www.example.com from US
Response: 104.16.1.1 (US PoP)

Query: www.example.com from EU  
Response: 104.16.2.1 (EU PoP)

2 Edge / CDN

CDNs operate a global network of Points of Presence (PoPs). Major CDNs have 100+ Tbps capacity, absorbing volumetric attacks through distributed scrubbing.

ProviderCNAME PatternHeadersASN
Cloudflare*.cloudflare.netCF-RAY, Server: cloudflare13335
CloudFront*.cloudfront.netX-Amz-Cf-Id, Via: CloudFront16509
Akamai*.akamaiedge.netX-Akamai-*, Akamai-*20940
Fastly*.fastly.netX-Served-By, Fastly-Debug-*54113
Azure CDN*.azureedge.netX-Azure-Ref8075

3 Scrubbing Centers

Scrubbing centers are dedicated traffic-cleaning facilities that sit between the internet and the origin infrastructure. During an attack, traffic is diverted through these centers via BGP route announcements, inspected for malicious patterns, and only clean traffic is forwarded to the origin.

How BGP-Based Diversion Works

When an attack is detected, the scrubbing provider advertises more-specific BGP routes for the target's IP prefixes. Internet routers prefer these more-specific routes, causing all traffic destined for the target to flow through the scrubbing center instead. After filtering, clean traffic is returned to the origin via GRE tunnels or direct peering.

Always-On vs On-Demand

  • Always-on: All traffic permanently routes through the scrubbing center. Lower latency to detect attacks, but adds a constant hop and potential latency overhead.
  • On-demand: BGP diversion activates only when an attack is detected. Reduces latency during normal operation, but introduces a switchover delay (typically 30-90 seconds) while BGP propagates.

Major Scrubbing Center Providers

ProviderCapacityDetection Signals
Akamai Prolexic20+ TbpsASN 32787, Prolexic-specific headers
Radware DefensePro (Cloud)12+ TbpsASN shifts, Server: rdwr headers
Imperva (Incapsula)13+ TbpsIncapsula CNAME, X-Iinfo headers
Neustar / UltraDDoS Protect15+ TbpsASN 19905, Neustar DNS patterns
Lumen DDoS Mitigation15+ TbpsASN 3356, BGP community attributes

How DDactic Detects Scrubbing Centers

DDactic identifies scrubbing center presence through multiple passive signals:

  • BGP analysis: Monitoring route announcements for scrubbing provider ASNs in the path
  • ASN ownership: Identifying IP ranges belonging to known scrubbing providers
  • Latency patterns: Detecting the additional hop introduced by traffic diversion
  • Response headers: Recognizing provider-specific headers injected during scrubbing

4 WAF / Application Firewall

WAFs protect against Layer 7 (application) attacks:

  • Rate Limiting: Block IPs exceeding thresholds
  • Bot Detection: Block automated/scripted requests
  • Geo Blocking: Block traffic from specific countries
  • IP Reputation: Block known-bad IPs
  • Custom Rules: Block specific patterns/signatures

5 Load Balancer

Load balancers distribute traffic and provide health checks:

  • Layer 4 (TCP/UDP): Fast, efficient, no application awareness
  • Layer 7 (HTTP/HTTPS): Application-aware routing, can inspect headers

6 Origin Protection

The origin should ONLY accept connections from the CDN. This is the most critical and most often misconfigured layer.

# Nginx: Allow only CDN IPs
geo $allow_cdn {
    default 0;
    173.245.48.0/20 1;
    103.21.244.0/22 1;
    # ... other CDN ranges
}

server {
    if ($allow_cdn = 0) {
        return 403;
    }
}

Risk Assessment Matrix

Configuration Volumetric Application (L7) Origin Exposure Overall
No CDN Critical Critical Critical Critical
CDN only Low High Medium Medium
CDN + WAF Low Medium Medium Medium
CDN + WAF + Origin lockdown Low Low Low Low
Full stack + monitoring Very Low Very Low Very Low Very Low

Recommended Architecture

For most organizations, we recommend:

  1. DNS: Anycast provider (Cloudflare, Route 53)
  2. CDN: Major provider with DDoS protection
  3. Scrubbing: Always-on or on-demand scrubbing center for volumetric attack absorption
  4. WAF: Cloud WAF (same provider as CDN)
  5. LB: Cloud load balancer with health checks
  6. Origin: Firewalled to accept only CDN IPs + mTLS validation
  7. Monitoring: Real-time traffic dashboards, anomaly detection, origin access alerts

Testing Your Architecture

Passive Testing (Safe)

Active Testing (Requires Authorization)

Load Testing (Controlled)

Test Your Architecture

DDactic provides automated tooling to assess, test, and monitor all layers of your DDoS defense architecture.

Start Your Assessment

Conclusion

Effective DDoS defense requires:

  1. Multiple layers: No single solution is sufficient
  2. Proper configuration: Misconfiguration is the #1 vulnerability
  3. Origin protection: CDN is useless if origin is exposed
  4. Continuous monitoring: Threats evolve; defenses must too
  5. Regular testing: Theory isn't enough; validate in practice
Architecture DDoS CDN Scrubbing Centers WAF Security Technical

Related Articles

Why Your CDN Isn't Protecting You

How attackers bypass CDN protection to reach origin servers.

 Introducing OPI: The Open Protection Index

A new open standard for measuring DDoS resilience.

 WAF Configuration: 5 Mistakes That Leave You Exposed

Common WAF misconfigurations and how to fix them.