Network security: survive a layered DDoS

Take a small HTTP service with one expensive, cacheable endpoint and keep p99 latency under target and the origin alive under a distributed cache-busting L7 flood — without simply buying 10x more capacity — proving each defense layer with measurements.

• Build or take a small HTTP service (Go/Node/any) with one deliberately expensive endpoint: a query that hits a database or does real work, fronted by a cache keyed on the request path or query string.
• Put a reverse proxy / edge in front (nginx, Caddy, or a local CDN-like layer) and wire observability: request rate, cache-hit rate, origin in-flight/queue depth, p50/p99 latency, and 503 rate — five signals, logged or graphed.
• Reproduce the attack: a load generator sending GET requests with a unique ?x=random per request from many simulated source IPs, each below any sane per-IP limit, so cache-hit rate collapses and the origin overloads. Capture the baseline (cache-hit drop, origin saturation, p99 blowup).
• Add a token-bucket or sliding-window-counter rate limit per IP at the edge; show it stops a single-IP flood but does NOT stop the distributed cache-busting attack (no single IP exceeds the limit). Record the numbers proving the gap.
• Add a WAF-style rule (or anomaly heuristic) that fingerprints the attack (e.g. unique-param-per-request, identical headers, missing Referer) and measure its false-positive rate against a sample of real-looking traffic.
• Add adaptive concurrency limiting at the origin: when in-flight exceeds a capacity threshold, shed load with fast 503s. Show that under the same distributed flood, the origin stays responsive and legitimate requests still complete.
• Re-run the identical attack with all layers active and record after numbers next to before; legitimate-request p99 should hold under target and the origin should never saturate.

• A before/after table: cache-hit rate, origin in-flight peak, 503 rate, legitimate-request p99, measured under the same load — not estimated.
• Evidence that per-IP rate limiting alone fails against the distributed attack (the gap is shown, not assumed), and that adaptive concurrency closes it.
• The WAF/heuristic rule's measured false-positive rate on legitimate traffic, with a stated decision on whether it runs in block or detect mode and why.
• A one-paragraph write-up: which layer stopped which attack variant, in what order you added them, and why adaptive concurrency was the layer that actually saved the origin.