The most common question we get from prospective customers is: 'How much work is the integration?' The answer surprises most engineering teams: you update a DNS record, and you're protected. No new hardware, no reconfiguring your servers, no changing your IP addresses. Here's exactly what happens under the hood.
Step 1: The DNS Change
When you sign up, Akarguard gives you a CNAME target — something like shield.akarguard.net. You update your domain's DNS record to point at that address instead of your origin server. From that moment, all traffic destined for your domain flows through Akarguard's scrubbing infrastructure first.
One critical rule
Keep your origin server's IP address private. Never let it appear in public DNS, WHOIS records, or email headers. If attackers find it, they can target you directly and bypass the proxy. Akarguard's onboarding checklist walks you through every place your real IP might leak.
Step 2: Traffic Enters the Scrubbing Layer
Every request — legitimate or malicious — now hits Akarguard's scrubbing infrastructure before touching your servers. At this point, our detection pipeline goes to work in real time.
- Volumetric L3/L4 floods (UDP floods, SYN floods, amplification attacks) are identified by traffic volume and packet signatures.
- L7 attacks (HTTP floods, slowloris, cache-busting) are identified through behavioral analysis: request rates, TLS fingerprinting, user-agent patterns, and timing anomalies.
- Known malicious IP ranges, Tor exit nodes, and botnet C2 infrastructure are blocked at ingress.
- Suspicious sessions receive a JavaScript or CAPTCHA challenge — invisible to real browsers, impossible for most bots.
Step 3: Attack Traffic Is Dropped, Clean Traffic Passes
Traffic classified as malicious is dropped at the proxy layer. It never reaches your origin server — not a single packet. Clean, verified traffic is forwarded to your origin over an encrypted connection. From your server's perspective, it only ever sees normal-looking requests from Akarguard's proxy IPs.
What About Latency?
A common concern is that adding a proxy layer will slow things down. In practice, the overhead is under 2ms for most requests — imperceptible to users. For cached responses, we can serve content directly from the proxy without hitting your origin at all, which is actually faster than a direct connection for geographically distant users.
SSL/TLS and HTTPS
Akarguard terminates TLS at the proxy layer, inspects the decrypted request, re-encrypts it, and forwards it to your origin over HTTPS. This is necessary to perform L7 inspection — encrypted traffic is opaque to network-level inspection. Your visitors always see a valid certificate and a fully encrypted connection.
The best DDoS protection is the kind your team doesn't have to think about. One DNS record, and it's running. That's the promise of reverse-proxy protection.