Deflect
Over a million people access websites protected by Deflect daily. A few bots coming knocking too 😉
Deflect is a network of geographically distributed edge servers, primarily doing reverse proxy caching of your website’s content. Using short-time-to-live DNS and advanced mitigation of malicious network activity, Deflect improves website performance and stability. In particular, clients choosing Deflect do so to protect their website against DDoS and brute force attacks, to improve response times for their readers and to reduce their hosting and infrastructure costs.
Design
Deflect is designed as a robust, low cost, non-proprietary and easily reproducible system to provide protection to multiple websites, which we call “Origins”. The system is built to process Web traffic requests and can efficiently absorb large traffic spikes, often seen during an attack. Deflect fetches original content from the Origins and stores it on servers we operate around the world – we refer to them as ‘Edges’. The caching component is handled by Apache Traffic Server.
Attack Mitigation
Hand-written and machine generated rules, advanced challenges to distinguish bots from humans.
Cached Content
Deflect servers store cached copies of your website’s pages.
Hidden Origin
Only Deflect needs to know where your website is hosted. The Internet only talks to Deflect servers.
Deflect infrastructure
Deflect is built on decentralization, with rented infrastructure in dozens of datacenters around the world. This approach offers flexibility and avoids central points of failure. Over the years we have worked with many providers and select the best among them by hardware specifications and network access, as well as their internal operating policies. We are keen to reduce the carbon footprint of our infrastructure and are continuously looking for datacenters powered by sustainable energy sources.
Due to our dynamic infrastructure model, we provision all machines with file system-level encryption.
| Provider | HQ Country | Data centers | Countries |
|---|---|---|---|
| Hetzner | Germany | FSN1-DC10, FSN1-DC6 | Germany |
| Limestone | U.S.A. | L.A., Dallas | U.S.A. |
| OneProvider | Canada | Amsterdam, Dusseldorf, London, New York | Germany, Netherlands, U.K., U.S.A. |
| OVH | France | ERI1 | U.K. |
| SeFlow | Italy | Milan | Italy |
| SoYouStart | France | BHS2, ERI1, RBX4, RBX2 | France, U.K., Canada |
| Veeble | Netherlands | NL, U.K. | Netherlands, U.K. |
What happens when you access a Deflect-protected website:
- Enter the website’s address in the browser (e.g. website.com)
- The DNS will retrieve an alias pointing to our pool of edges. One of these edges is then selected using round robin DNS
- If a Deflect edge has the requested page already in cache, it will reply to the browser. If the requested content does not exist in the cache, it will request it from the origin.
Your DNS: The registrar where you bought the domain name. This is where you will need to change the nameservers to join Deflect.
Deflect DNS: Our DNS service processes requests for your domain and replies to the browser with a Deflect edge IP. After switching to Deflect all requests to *.yourwebsite.com go through this pathway.
Visitors and bots: Your readers and bots – both benign (e.g. search engines bots) and malicious (e.g. attackers) – requesting a page from your website
Deflect
Edges: caching servers, distributed around the world and various data centers. Deflect edges encrypt content at rest.
Mitigation: Various in-house technologies distinguish between legitimate and malicious visitors, blocking the latter.
Encryption Certificates (TLS): You can maintain (or introduce) encrypted connections between your readers and your website (e.g. https://). Deflect will establish an encrypted tunnel between your visitors and edges, as well as a separate tunnel between edges and your server. Note that TLS termination has to take place at the edge, for caching to work.
Caching: Pages already retrieved from your website by a Deflect edge, remain in its cache. The default time period for storing cache is 10 minutes, but you can adjust this in the control panel.
Web server
Server: Your current hosting provider or the eQpress hosting platform.
Encryption Certificates (TLS): Creates an encrypted connection between a Deflect edge and your web server.
Website: Deflect can protect any type of website.