December 2025 15 min read Technical Deep-Dive

Understanding Modern DDoS Defense Architecture

A technical deep-dive into CDN, WAF, and origin protection layers

Introduction

This article provides a comprehensive technical overview of modern DDoS defense architecture. We'll examine each layer of protection, how they work together, and where the gaps typically exist.

Target audience: Security engineers, DevOps teams, and architects responsible for infrastructure resilience.

The Defense Stack

Modern DDoS protection consists of multiple layers, each addressing different attack vectors:

+-------------------------------------------------------------+ | INTERNET / ATTACKERS | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | LAYER 1: DNS & ANYCAST | | - GeoDNS routing | | - Anycast distribution | | - DNS-based load balancing | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | LAYER 2: EDGE / CDN | | - Global PoP network | | - DDoS absorption (volumetric) | | - TLS termination | | - Caching | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | LAYER 3: WAF / APPLICATION FIREWALL | | - L7 attack mitigation | | - Rate limiting | | - Bot detection | | - Custom rules | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | LAYER 4: LOAD BALANCER | | - Health checks | | - Traffic distribution | | - Session persistence | | - Connection pooling | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | LAYER 5: ORIGIN / APPLICATION | | - Application logic | | - Database | | - Internal services | +-------------------------------------------------------------+

1 DNS & Anycast

DNS is the first line of defense. Modern architectures use GeoDNS to return different IP addresses based on client location, and Anycast where multiple servers share the same IP address.

Query: www.example.com from US
Response: 104.16.1.1 (US PoP)

Query: www.example.com from EU  
Response: 104.16.2.1 (EU PoP)

2 Edge / CDN

CDNs operate a global network of Points of Presence (PoPs). Major CDNs have 100+ Tbps capacity, absorbing volumetric attacks through distributed scrubbing.

ProviderCNAME PatternHeadersASN
Cloudflare*.cloudflare.netCF-RAY, Server: cloudflare13335
CloudFront*.cloudfront.netX-Amz-Cf-Id, Via: CloudFront16509
Akamai*.akamaiedge.netX-Akamai-*, Akamai-*20940
Fastly*.fastly.netX-Served-By, Fastly-Debug-*54113
Azure CDN*.azureedge.netX-Azure-Ref8075

3 WAF / Application Firewall

WAFs protect against Layer 7 (application) attacks:

  • Rate Limiting: Block IPs exceeding thresholds
  • Bot Detection: Block automated/scripted requests
  • Geo Blocking: Block traffic from specific countries
  • IP Reputation: Block known-bad IPs
  • Custom Rules: Block specific patterns/signatures

4 Load Balancer

Load balancers distribute traffic and provide health checks:

  • Layer 4 (TCP/UDP): Fast, efficient, no application awareness
  • Layer 7 (HTTP/HTTPS): Application-aware routing, can inspect headers

5 Origin Protection

The origin should ONLY accept connections from the CDN. This is the most critical and most often misconfigured layer.

# Nginx: Allow only CDN IPs
geo $allow_cdn {
    default 0;
    173.245.48.0/20 1;
    103.21.244.0/22 1;
    # ... other CDN ranges
}

server {
    if ($allow_cdn = 0) {
        return 403;
    }
}

Risk Assessment Matrix

Configuration Volumetric Application (L7) Origin Exposure Overall
No CDN Critical Critical Critical Critical
CDN only Low High Medium Medium
CDN + WAF Low Medium Medium Medium
CDN + WAF + Origin lockdown Low Low Low Low
Full stack + monitoring Very Low Very Low Very Low Very Low

Recommended Architecture

For most organizations, we recommend:

  1. DNS: Anycast provider (Cloudflare, Route 53)
  2. CDN: Major provider with DDoS protection
  3. WAF: Cloud WAF (same provider as CDN)
  4. LB: Cloud load balancer with health checks
  5. Origin: Firewalled to accept only CDN IPs + mTLS validation
  6. Monitoring: Real-time traffic dashboards, anomaly detection, origin access alerts

Testing Your Architecture

Passive Testing (Safe)

Active Testing (Requires Authorization)

Load Testing (Controlled)

Test Your Architecture

DDactic provides automated tooling to assess, test, and monitor all layers of your DDoS defense architecture.

Start Your Assessment

Conclusion

Effective DDoS defense requires:

  1. Multiple layers: No single solution is sufficient
  2. Proper configuration: Misconfiguration is the #1 vulnerability
  3. Origin protection: CDN is useless if origin is exposed
  4. Continuous monitoring: Threats evolve; defenses must too
  5. Regular testing: Theory isn't enough; validate in practice
Architecture DDoS CDN WAF Security Technical