Level 14 · Bot Flood
EDGE SECURITY

Stage 4 · Edge Security · WAF · Rate Limiting · DDoS

Bot Flood

Your ticket-sales site is getting scraped to death: half of all traffic is bots hammering random pages. Your cache can't help — the junk requests never repeat, so every one of them punches through to the database while real customers watch spinners. Stop the flood at the front door, before it touches your origin.

Requirements

Functional

  • ·Legitimate customers get served while bot traffic is filtered before it reaches the database

Non-functional

  • ·~350 requests/sec total
  • ·50% of it malicious bot traffic that never cache-hits
  • ·p99 latency ≤ 250ms
  • ·99% availability for legitimate users

Constraints

  • ·Budget: $9/hr or less
  • ·Attack traffic must be filtered at the edge — a cache alone does not stop it

Out of scope

  • ·CAPTCHA/bot-detection heuristics — the filter is a black box you place, not build

TrafficRequests per second — the rate of incoming traffic this level throws at your system.

~350 r/s · read-heavy
90% reads · 10% writesWhat fraction of requests are reads (fetches) vs writes (updates) — this decides which components sit on the hot path.· 50% bot trafficMalicious/automated requests mixed into normal traffic. They never get cache hits, and only count against you if they get through — a WAF or rate limiter can filter them out.

Win conditions

  • p99 latency99% of requests finish at or under this time — a stricter tail-latency bar than p95 that catches worst-case slowness.≤ 250ms
  • availabilityThe share of legitimate requests that succeeded, out of everything sent your way. 99% still means 1 in 100 users saw an error.≥ 99%
  • throughputHow many requests per second your system actually completed — not requested, completed.≥ 150 r/s
  • error rateThe share of requests that failed outright: timeouts, drops, or capacity overload.≤ 2%
  • costWhat your architecture costs to run per hour, based on the instances and components you've wired up.≤ $9/hr
Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

Drag components from the right → connect their handles → Run.

Drag onto canvas

Components

Client

ClientWhere traffic originates.

Compute

API GatewayFront door — the app tier requests pass through.
500 r/s · 20ms · $2/hr
BackendA second compute tier for heavier processing.
350 r/s · 25ms · $2/hr

Storage

SQL DatabaseRelational store. Durable, but the lowest throughput.
200 r/s · 50ms · $3/hr
NoSQL DB3× the throughput of SQL — at a premium. Pay for it only when the load demands it.
600 r/s · 30ms · $4/hr
Redis CacheIn-memory read-cache — absorbs repeated reads. Useless for writes.
5000 r/s · 3ms · $2/hr
Read ReplicaRead-only copy of the primary — scales reads past the primary's own ceiling.
200 r/s · 55ms · $3/hr
DB StandbyHot backup that takes over only when the primary fails.
200 r/s · 50ms · $3/hr

Networking

CDNEdge read-cache — serves content near the user.
50000 r/s · 5ms · $1/hr
Load BalancerManaged, premium front door — highest ceiling, lowest latency, costs more.
10000 r/s · 2ms · $2/hr
Reverse ProxyCheaper self-hosted front door — lower ceiling, the smart buy under 8,000 r/s.
8000 r/s · 3ms · $1/hr

Messaging

QueueACKs writes instantly, drains them to storage — absorbs bursts, not sustained overload.
8000 r/s · 8ms · $1/hr

Security

WAFInspects requests — blocks ~95% of attack traffic at the edge.
20000 r/s · 3ms · $1/hr
Rate LimiterVolumetric shield — blocks ~80% of abusive traffic, barely any latency.
20000 r/s · 1ms · $1/hr