Our upstream infrastructure provider has DDoS protection. It’s kicked in many times over the past few months and it appears to work well.
The RPS number itself isn’t as relevant as packets per second on their end. Since all apps have anycast IP addresses, the load is at least distributed between our edge servers. Currently, our proxy will shed its load once certain connections concurrency and/or connection rates thresholds are reached for an app. There’s also a global limit.
We’re tweaking these limits from time to time and are probably going to change strategy sooner than later. Our proxy can handle a lot of connections, but other resources on each of our edge servers are more problematic.
So the answer is: our upstream infrastructure provider offers us some DDoS protection. It’s not ideal, but it’s been good up until now. As we grow we’ll come up with better protection on this front.