I'm working on a project where clients exchange data with services. We designed a proxy between the service and the client that anonymizes the user's data so anyone breaching into the database would only get a massive amount of useless data.
Of course, our proxy layer needs to scale, so we put it behind a load balancer using k8s.
The problem is: the Load Balancer is currently the SPOF (single point of failure) of our system. If an attacker controls it to slow down the traffic and redirect it to only one instance of our proxies, then he can achieve re-identification and thus compromise the whole service.
We are investigating many approaches, and one of them is the "no load balancer". In this architecture, every client must retrieve from another server (which is, in our model, completely trusted) the proxies IPs, then choose one of them randomly. Using this technique, an attacker would have to control a large percentage of clients to achieve re-identification, which is way harder. And the whole would self-balance.
This vision of the whole system has a huge drawback, as it needs a public IP for each proxy instance, but it completely gets rid of the main problem.
Technically, all of this is feasible. But what about the real world? I have very little experience with deploying production services, so any opinion is welcome.
