Overview

Deflect is a network of geographically distributed edge servers, primarily doing reverse proxy caching of your website’s content. Using short-time-to-live DNS and advanced mitigation of malicious network activity, Deflect improves website performance and stability. In particular, clients choosing Deflect do so to protect their website against DDoS and brute force attacks, to improve response times for their readers and to reduce their hosting and infrastructure costs.

Design

Deflect is designed as a robust, low cost, non-proprietary and easily reproducible system to provide protection to multiple websites, which we call “Origins”.

The system is built to process Web traffic requests and can efficiently absorb large traffic spikes, often seen during an attack. Deflect fetches original content from the Origins and stores it on servers we operate around the world – we refer to them as ‘Edges’. The caching component is handled by Apache Traffic Server.

Deflect in Action

What happens when you access a Deflect-protected website:

  1. Enter the website’s address in the browser (e.g. website.com)
  2. The DNS will retrieve an alias pointing to our pool of edges. One of these edges is then selected using round robin DNS
  3. If a Deflect edge has the content of the requested page in its cache, it will immediately reply to the browser. If the content is not already cached, the edge will request it from the origin and reply to the browser, storing the content in cache for future requests.
  • Your DNS: The registrar where you bought the domain name. This is where you will need to change the nameservers to join Deflect. This is also where you can nominate to leave the Deflect service, by changing the nameservers back to their original setting.
  • Deflect DNS: Our DNS service processes requests for your domain and replies to the browser with a Deflect edge IP. After switching to Deflect all request to *.website.com go through this channel.
  • Website visitors and bots: Your readers and automated bots – both benign (e.g. search engines) and malicious (e.g. attackers) – requesting a page from your website
  • Deflect
    • Edges: caching servers, distributed around the world and various data centers. Deflect edges encrypt content at rest.
    • Mitigation: Various in-house technologies distinguish between legitimate and malicious visitors, blocking the latter.
    • Encryption Certificates (TLS): You can maintain (or introduce) encrypted connections between your readers and your website (e.g. https://). Deflect will establish an encrypted tunnel between your visitors and edges, as well as a separate tunnel between edges and your server. Note that TLS termination has to take place at the edge, for caching to work. More details about our approach here. [XXX XXX XXX]
    • Caching: Pages already retrieved from your website by the Deflect edge, remain in cache. The default time period for storing cache is 10 minutes, but you can adjust this in the control panel.
  • Your server
    • Encryption Certificates (TLS): To create encrypted connections your webserver must have a TLS certificate already installed (it can be self-generated one as well). More info here. [XXX XXX XXX]
    • Website: Deflect can protect any type of website. We also offer Wordpress hosting.

How to Start

This is what you need to start:

  1. Control the DNS for your website(s).
  2. Know your website(s) IP address and editorial login URL.

Then simply:

  1. Sign-up at https://dashboard.deflect.ca/signup.
  2. We will send you an email with temporary login details to the Deflect control panel.
  3. Log-in and follow the prompts to set-up your website’s DNS, security settings and SSL/TLS certificates as necessary. We describe this process in detail here [XXX XXX XXX]. Note that if you choose to set up free Let’s Encrypt certificates on Deflect, they will only be generated once the DNS is pointing to us. This may take up to 30 minutes.
  4. Your application is processed and Deflect is configured to server your website’s readers.
  5. When everything is ready, we send you a notification and instructions to proceed with.
  6. Point your DNS nameservers (NS) to Deflect.