The Invisible Layer of the Internet Nobody Talks About

Most developers think about the request-response cycle in terms they control: their application code, their database, their cloud infrastructure. But before a request reaches any of that, it passes through a layer of internet infrastructure they have no visibility into.

What's in the invisible layer

• BGP routing decisions made by dozens of ISPs and transit providers.
• DNS resolution through recursive resolvers that may cache stale records.
• CDN edge nodes that may serve your content from a cache you can't inspect.
• DDoS mitigation scrubbing centers that filter traffic before it reaches your edge.
• Internet exchange points where traffic is handed between networks.

Why attackers think about it

Attackers understand this layer well. They know which networks are poorly filtered. They use BGP hijacking to redirect traffic. They exploit CDN misconfigurations to bypass security controls. They probe the invisible layer to find the path of least resistance to your origin.

Making it visible

You gain visibility into this layer by sitting in it. A reverse proxy at the edge gives you a vantage point before application logic and after the raw internet. From there you can see what the infrastructure delivers to your door and decide what to let through.