Floe Proxy

So We Made a Thing: It’s Called Floe (Maybe You’ll Like It?)

Here at Voxga Research, we tinker. Sometimes things break, sometimes things almost work, and sometimes we actually finish something. Today falls into that last category. We built a Layer 7 reverse proxy (WAF) for stopping DDoS attacks and bad bots (how we are gonna do it). We’re calling it Floe. I know, just like a demolition business. Groudbreaking work.

Now, Floe isn’t exactly built from scratch in a cave with a box of scraps (though sometimes it felt like it). We’ve been hammering this out with our buddies over at Papyrus VIP. They have lots of uplinks. Big uplinks.

The Big Problem We Ignored (Until Now): Getting Flooded

Why didn’t we build this sooner? Well, building a fancy L7 proxy is pointless if someone can just tip over the whole network with a flood of junk packets. We’re talking volumetric DDoS attacks – the kind that doesn’t care about your clever bot detection, they just want to saturate your network link until it cries.

Dealing with that requires serious infrastructure. That’s where Papyrus VIP comes in. Here’s how we’re tackling the flood together:

• XDP Filters: Remember that flood? Papyrus has developed their own XDP filters. Think of it as a really, really fast bouncer that operates right at the network card that just yeets packets from bad IPs before they bother the CPU. We have a blocklist that Floe can update super quick (using an eBPF map), letting us actually use those beefy 2x40Gbps NICs without the CPU melting. Big thanks to Papyrus and the Linux kernel wizards for that.
• Papyrus’s Anycast Network: Honestly, a lot of the magic is just… using Papyrus’s network. They give us access to over 500 Gbps of uplink capacity and 230 Tbps of upstream capacity. Yes, Tbps. That massive thing is already DDoS protected on the upstream, and we can add our own rules too. It’s nice having an ustream the size of a small country.

The Papyrus network has seen some things (battle-tested, if you want the buzzword). Floe talks directly to the filters using a UNIX Socket, making the whole system work together nicely.

Shiny New Toys in Floe

Okay, so we can (probably) survive the flood. What does Floe actually do at Layer 7?

• TCP Fingerprinting (JA4T): We look at the nerdy little details of how the TCP connection is set up. If you want a technical explanation you should be reading the JA4T Spec and not this blogpost. It’s an older trick, but surprisingly effective. Good luck getting JA4T level of detail on some other big platforms. :3
• TLS Fingerprinting (JA4): Similar idea, but for the encrypted handshake (TLS). The way a client says “hello” cryptographically often reveals if it’s a real browser or just some Python library (nerdy details). Yeah, Cloudflare has this, but only if you’re paying them lot of $$$$$. We like making cool tech more accessible. And getting money in the process.

Coming Soon™: We’re also poking around with DNS Fingerprinting. More on that later. No promises on timeline!

How We Stick It All Together

We’re deploying Floe using Kubernetes because everyone else is doing it, and it mostly works. The load balancing across our different servers happens automatically thanks to the Papyrus Anycast network and some BGP fiddling (adjusting propagation and whatnot).

Don’t Forget Project Satyr (We Almost Did)

Floe needs good data to know who’s naughty and who’s nice. Big companies with zillions of users have tons of data. We… don’t have zillions of users (yet!). So, we came up with Project Satyr. It’s our plan to get smarter without spying on everyone.

It has two parts:

1. Sharing Intel: We’re making friends with other L7 DDoS protection folks (the very cute ones) and swapping lists of bad IPs we’ve seen. Simple, but effective.
2. Sneaky Honeypot Proxies: This is the fun part. We’re setting up proxies that look tasty to attackers, but secretly log everything and tell us who’s attacking us or our partners. We wrote a whole other blog post about this because it’s kind of neat (or maybe we just like typing). Go read that one for the juicy details.

What’s Next?

Floe is currently in Alpha. Might have some issues with things like websockets, or achieving sentience (unlikely). We’ll move to Beta, then… whatever comes after Beta (Stable? Release Candidate? We’ll figure out the name). Project Satyr is starting small with 10 honeypots. DNS Fingerprinting is on the whiteboard. We’re busy building the dashboard and fixing Floe bugs first.

A Word for the Attackers: Look, we get it, breaking things is fun. But Floe and Satyr are specifically designed to make attacking us annoying and likely to get your actual IP reported. Maybe pick on someone else? Or just block our IPs? It’ll save us all some trouble. We know you won’t listen, but we had to try.

Okay, that’s the update. Go check out the Project Satyr post if you haven’t already.

Co-Authored by Sakura and Robin Hickmann