We pointed a load balancer at nothing. The internet showed up anyway.
We are building L4 load balancers for ServersCamp, and we made one decision early: security would not be a separate product you bolt on later. It lives inside the balancer itself. Access modes (off, blacklist, whitelist), GeoIP, public threat lists, one-click IP bans, all enforced in the network layer before traffic ever reaches your backends. That is the first layer, and we are not stopping there: deeper inspection of what the traffic is actually doing, not just where it comes from, is on the way. More on that another time.
While building it, we did the obvious thing and pointed a test balancer at two tiny backends. They do nothing interesting: each returns its own hostname and IP as plain text. No DNS name, no links pointing to it, nobody told about it. Just a fresh public IP, doing nothing in particular.
Then we left it alone for a day and opened the analytics tab. This post is mostly about what we found there, because it is the kind of thing you only see once you start looking.
113 visitors to a server nobody knows about
In its first 24 hours, that idle balancer was contacted by 113 unique clients from 20 countries. Nothing was hosted on it. Nobody had the address. And yet here was a steady trickle of connections from all over the world.
The map tells the story at a glance. The United States leads with 33 clients, followed by the Netherlands (21), Germany (14), then Brazil, Belgium, China, France and the UK. A balancer that serves nothing, lighting up four continents.
The breakdown by network is where it gets interesting. Here is the top of the list of who these clients actually were:
| Network | What it is |
|---|---|
| Google LLC | Cloud |
| VPSVAULT.HOST | VPS hosting |
| Microsoft | Cloud |
| Zenlayer | Cloud |
| Hurricane Electric | Transit / hosting |
| DigitalOcean | Cloud |
Notice what is missing: there is not a single residential ISP in the list. Every one is a hosting or cloud provider. These are not people. They are machines on rented infrastructure, sweeping the IPv4 space, knocking on every door to see what answers.
And they are not all friendly.
On a server that has existed for one day and hosts nothing.
Forty of the 113 appear on lists like FireHOL and Spamhaus, networks flagged for scanning, brute-forcing or abuse. They found the address anyway, because finding addresses is the entire job.
This is the background radiation of the internet
None of this is an attack, and none of it is unusual. It is the constant background scan of the public internet: census crawlers, security researchers, botnets probing for open ports and weak services, and a long tail of opportunistic bots. The moment an IPv4 address goes live, it becomes a target, not because of anything it hosts, but simply because it exists and answers.
Most of the time you never see this. The packets arrive, your backend shrugs, and the noise blends into your access logs. But it is always there, and it is the reason "just put it behind a load balancer" should also mean "and give that load balancer a way to say no."
Which is exactly why we are building the security in
Watching this on our own test balancer, before the product is even finished, was a good reminder of why we are building it this way. Access control lives inside the balancer, so you can:
Whitelist the handful of sources that should ever reach a private or internal service, and drop everything else at the edge. The other 99% of that background noise never touches your backends.
Blacklist specific IPs or whole ranges the instant you spot abuse, enforced in the network, not in your application.
See where your traffic actually comes from, with country, provider and threat-list membership attached to every client, so "a third of these are already known-bad" is a fact you can see, not a guess.
All of it runs at L4, in the network path ahead of your servers. No sidecar, no extra firewall box, no application changes. You flip it on and it takes effect in seconds.
And this is the floor, not the ceiling. The same place that drew the map above is where smarter, traffic-aware defense is headed next: not just matching addresses against a list, but watching what that traffic actually does, and stepping in when the pattern, not just the source, looks wrong. We will have more to say about that soon. For now, the point is simpler.
So the defenses should be there before the users are.
We are still building these balancers, and there is more coming. But the very first thing our test balancer taught us is the thing we most wanted to be true: a public address is never really idle. The traffic is already there, whether or not anyone is looking. We are just making sure that when you do look, you can also push back.
L4 load balancers with built-in access control are coming to ServersCamp. When they land, you will be able to spin one up, open the map, and watch the internet say hello.