Docs
Getting started

How it works

The request path: from the player to your backend through the Infinity-Filter edge.

architecturereverse-proxy

Infinity-Filter is a reverse proxy. Players never reach your server directly — they reach an edge that filters traffic first.

The request path

  1. 1

    Player resolves a hostname

    A CNAME on the customer's domain points at one of our edge hostnames (front-de, front-fr, front-pl, front-ca, or a dedicated IP).

  2. 2

    Traffic hits the Infinity-Filter edge

    L3/L4 mitigation runs at the network card. Volumetric floods are dropped before they reach userspace.

  3. 3

    L7 inspection

    Bad packets, abusive bot patterns and connection-rate abuse are filtered at the application layer.

  4. 4

    Clean traffic is forwarded to the backend

    The real client IP is forwarded via PROXY protocol (or the Infinity-Filter plugin) so your backend sees the player, not us.

Where mitigation runs

LayerWhere it runsWhat it catches
L3/L4OVH’s filtering layer, upstream of Infinity-FilterUDP/TCP/ICMP floods, SYN floods, amplification attacks
Infinity-Filter L4Edge nodes (FR, DE, PL, CA)Per-IP rate limits, malformed packets, bot fingerprints
Infinity-Filter L7Edge nodesConnection-rate abuse, antibot challenges, Anti-VPN
BackendYour serverOnline-mode encryption is enforced after the proxy — payload inspection inside premium-auth connections must come from a server-side plugin (e.g. LPX-AntiPacketExploit).

OVH’s filtering layer has demonstrated capacity at 1.5 Tb/s+, and Infinity-Filter’s edge drops 17 Tb/s+ of malicious traffic at peak and stops ~20M req/s at L7.

Why this design matters

Edge filtering vs. origin filtering

By the time abusive traffic reaches your backend, it has already cost you bandwidth, CPU and player slots. Dropping it at our edge means the malicious side of the connection never touches your server.

Even on an OVH-protected dedicated server, the NIC itself is usually a 1 Gbit interface that becomes the bottleneck during a volumetric flood. Infinity-Filter absorbs the flood before it reaches that NIC.

Origin IP secrecy

Players never resolve your backend IP. The only public record is your domain’s CNAME pointing at Infinity-Filter. As long as the backend firewall only accepts our IP ranges, the origin stays unreachable.

Multi-PoP architecture

Infinity-Filter operates from four PoPs (Canada, Germany, France, Poland). You pick the edge region per domain in Network → Domains. The right region is whichever PoP has the lowest RTT to your backend — run the built-in Latency Test before choosing.

What’s next

Features A complete inventory of what Infinity-Filter does. Setup guide The complete network setup walkthrough. Account setup Secure your account with 2FA and link your Discord.

Last updated: May 28, 2026