A reverse proxy is a defensive control, one of the architectural buffers a DDoS test probes to see how much attack traffic it absorbs before the origin feels it. It sits in front of one or more backend servers, terminating client connections and forwarding only the requests it chooses to pass on. Because clients never speak to the origin directly, the proxy can enforce rate limits, run challenge-response checks, cache responses, and hide the real origin IP. Most CDN and WAF deployments are reverse proxies at their core.
Why it matters in DDoS testing
A reverse proxy is only as protective as its weakest bypass. If the origin IP leaks (through DNS history, certificate transparency logs, or a misconfigured direct route), an attacker floods it directly and the proxy never sees the traffic. A test validates that the origin is unreachable except through the proxy, and that the proxy's own connection and worker pools survive the load.
For running that validation without taking production down, see Running a DDoS Test Without Disrupting Production.