ProxyShield Engine

Three Layers of Defense.
Zero Compromise.

The API gateway that stops attacks before they reach your application — at the kernel, connection, and application level. No performance penalty, just pure defense.

Request Flow Through ProxyShield

Incoming Traffic

All requests hit the server

Layer 1: Kernel (iptables)

Packet dropped at kernel — Node.js never sees it

~0ms

Layer 2: TCP Socket

Connection destroyed before HTTP parsing

~0.01ms

Layer 3: Application

Failure detection, threat scoring, ban escalation

~0.1ms

Clean Traffic → Your API

Only legitimate requests reach your backend

Defense in Depth

Each layer catches what the previous one missed. Together, they provide comprehensive protection without slowing down your API.

LAYER 01

Kernel-Level Packet Dropping

iptables / ip6tables

Banned IPs are added to a dedicated NOLXY_SHIELD iptables chain. Packets are dropped at the kernel level before they ever reach Node.js — zero CPU cost for your application.

  • Dedicated iptables chain (NOLXY_SHIELD) created at startup
  • IPv4 and IPv6 support via iptables and ip6tables
  • execFile() with args array — immune to shell injection
  • Automatic chain cleanup on graceful shutdown
  • Capability detection — falls back gracefully if iptables unavailable

LAYER 02

TCP Socket Termination

server.on('connection')

Every new TCP connection is checked against the ban list before HTTP parsing begins. Banned connections are destroyed instantly — including all existing keep-alive connections for that IP.

  • Runs once per TCP connection, not per HTTP request
  • Instant ban lookups with no database queries
  • Active socket tracking — destroys ALL connections for banned IPs
  • Slowloris protection via header reception timeouts
  • Banned traffic blocked instantly at the network level

LAYER 03

Application-Level Threat Detection

Failure counting & progressive banning

Authentication failures, rate limit violations, and IP block hits are tracked per-IP. Repeated offenses trigger automatic bans with escalating durations.

  • 5 auth failures → automatic ban
  • Repeated rate limit violations → network-level block
  • Progressive ban escalation (repeated bans within 1 hour → longer duration)
  • Per-source failure tracking (auth, ratelimit, ipblock)
  • Threat score calculation for analytics

Beyond the Layers

ProxyShield includes additional security mechanisms that work together with the three-layer defense.

Distributed Ban Propagation

Bans propagate instantly to all gateway nodes. Ban one IP on one node, it's blocked on all nodes within milliseconds.

Active Connection Killing

When an IP is banned, all existing keep-alive TCP connections for that IP are immediately destroyed. No waiting for timeout — instant termination.

Negative Caching

Invalid API keys are cached to prevent cache-bypass DoS attacks. Attackers can't flood your database with invalid key lookups.

Zero Overhead for Legitimate Traffic

Legitimate traffic never touches ProxyShield. Ban checks have zero overhead — no database queries, no latency impact.

Stop Attacks at the Network Level

ProxyShield is included in every Nolxy plan. No configuration needed. Just deploy and you're protected.