Load balancers play a vital role in modern web infrastructure by distributing client traffic across multiple backend servers. This prevents overloading a single server, ensuring high availability, optimal performance, and ultimately minimising response time and maximising throughput.
In this blog, I will dive into the fundamentals of load balancing, starting with basic routing, and progressively adding advanced features like DDoS protection and request metrics to strengthen the security of a network.
A load balancer is like a proxy server that distributes incoming requests across multiple backend servers.
Below is the basic structure of a load balancer:
class LoadBalancer {
constructor() {
this.proxy = httpProxy.createProxyServer({});
this.serverManager = new ServerStateManager(serversConfig);
this.algorithm = 'roundRobin';
}
handleRequest(req, res) {
const healthyServers = this.serverManager.getHealthyServers();
const target = this.chooseServer(healthyServers);
this.forwardRequest(req, res, target);
}
}
For a load balancer to work, it needs to be able to track the health and metrics of each server from a centralised location and choose the best server to forward requests to. This can be done with a dedicated server state manager:
class ServerStateManager {
constructor(servers) {
this.serverStates = new Map();
this.initializeServers(servers);
this.startHealthChecks();
}
checkServerHealth(server) {
http.get('http://server.host:server.port/health', (res) => {
this.updateServerHealth(server, res.statusCode === 200);
}).on('error', () => {
this.updateServerHealth(server, false);
});
}
}
Algorithms used to distribute requests across multiple servers. For this project, I've implemented two load balancing algorithms: Round Robin and Least Connections.
A simple algorithm that distributes requests sequentially across all servers. For example, if there are 3 servers, the load balancer will forward requests to server 1, then server 2, then server 3, and then back to server 1.
This algorithm is simple and easy to implement, but it doesn't take into account the load of each server. For example, if server 1 is under heavy load, it will still receive requests even though it may not be able to handle the load.
Below is the implementation of the Round Robin algorithm:
function roundRobin(servers) {
if (!servers || servers.length === 0) return null;
currentIndex = (currentIndex + 1) % servers.length;
return servers[currentIndex];
}
Routes request to the server with the fewest active connections. This algorithm is more complex to implement as it requires the state of each backend server to be tracked, but it ensures that the load is distributed more evenly across all servers.
Below is the implementation of the Least Connections algorithm:
function leastConnections(servers) {
if (!servers || servers.length === 0) return null;
return servers.reduce((min, server) => {
return server.connections < min.connections ? server : min;
}, servers[0]);
}
To protect the load balancer from DDoS attacks, I've implemented multiple layers of defence:
class DDoSProtection {
constructor(config = {}) {
this.config = {
rateLimit: {
windowMs: 60000,
maxRequests: 100
},
connectionLimit: {
maxConnectionsPerIp: 10,
maxGlobalConnections: 100
},
blacklist: {
maxFailedAttempts: 5,
banDuration: 300000
}
};
this.requestCounts = new Map();
this.activeConnections = new Map();
this.blacklistedIPs = new Map();
}
}
Rate limiting is a technique used to prevent abuse by limiting the number of requests a client can make within a certain time period.
This is implemented by tracking the number of requests made by each IP address and blocking any requests that exceed the configured limit:
isRateLimited(clientIP) {
const now = Date.now();
const windowStart = now - this.config.rateLimit.windowMs;
if (!this.requestCounts.has(clientIP)) {
this.requestCounts.set(clientIP, []);
}
const requests = this.requestCounts.get(clientIP);
// Starting from the oldest request, remove any requests that are older than the current window
while (requests.length && requests[0] < windowStart) {
requests.shift();
}
return requests.length >= this.config.rateLimit.maxRequests;
}
Connection limiting is a technique used to prevent abuse by limiting the number of concurrent connections a client can make.
This is implemented by tracking the number of active connections made by each IP address and blocking any requests that exceed the configured limit:
isConnectionLimited(clientIP) {
const currentConnections = this.activeConnections.get(clientIP) || 0;
return currentConnections >= this.config.connectionLimit.maxConnectionsPerIp;
}
IP blacklisting is a technique used to prevent abuse by blocking requests from known malicious IP addresses that have previously been detected as malicious. eg. IPs that have made too many failed requests or IPs that have repeatedly exceeded the rate-limit or connection-limit.
This is implemented by tracking the number of failed requests made by each IP address and blocking any requests that exceed the configured limit:
incrementFailedRequest(clientIP) {
const fails = (this.failedRequests.get(clientIP) || 0) + 1;
if (fails >= this.config.blacklist.maxFailedAttempts) {
this.blacklistedIPs.set(clientIP, Date.now() + this.config.blacklist.banDuration);
}
}
To properly protect the load balancer from DDoS attacks, it is important to have a way to monitor the requests made to the load balancer. This is done by tracking all the requests made by each IP address, and including other metrics such request endpoints, for detailed statistics.
class RequestMetrics {
constructor() {
this.metrics = {
totalRequests: 0,
requestsByEndpoint: new Map(),
requestsByIP: new Map(),
requestsByStatus: new Map(),
responseTimeSum: 0
};
}
trackRequest(req, res, startTime) {
const clientIP = req.headers['x-forwarded-for'] || req.socket.remoteAddress;
const endpoint = req.url;
const duration = Date.now() - startTime;
// Update general metrics
this.metrics.totalRequests++;
this.metrics.responseTimeSum += duration;
// Track IP-specific metrics
let ipMetrics = this.metrics.requestsByIP.get(clientIP);
if (!ipMetrics) {
ipMetrics = {
count: 0,
endpoints: new Set(),
requestsByEndpoint: {}
};
}
ipMetrics.count++;
ipMetrics.endpoints.add(endpoint);
ipMetrics.requestsByEndpoint[endpoint] =
(ipMetrics.requestsByEndpoint[endpoint] || 0) + 1;
}
}
I exposed these metrics through a dedicated endpoint, which can be accessed by any client (just me rn lol):
if (req.url === '/metrics') {
res.writeHead(200, { 'Content-Type': 'application/json' });
res.end(JSON.stringify(this.metrics.getMetrics(), null, 2));
return;
}
My load balancer is able to achieve high performance through:
Using the Jest framework, I created a comprehensive suite of tests to ensure the load balancer works as expected:
For example, the below test ensures the load balancer enforces the global connections limit by sending (MAX_GLOBAL_CONNECTIONS + 5) requests from different IP addresses to the load balancer:
It's been a while since I last worked on a web development project, and one thing I'm particularly proud of is how much my security mindset has influenced my approach. Instead of blindly building applications, I now critically analyse every line of code and application behaviour, anticipating how an attacker might exploit potential vulnerabilities like conducting DDoS attacks.
This project has deepened my understanding of how production traffic is managed while maintaining both security and observability.
In terms of future improvements to this project, I plan to implement: