You put your reverse proxy on a publicly available machine then through strict firewalls only accept communication to your back end from the reverse proxy; effective leverage VPCs to make your backend not be on the public Internet. That should allow you to filter out malicious users without affecting your actual application and it's trivial to scale your reverse proxy horizontally or reach for a WAF if you have the need/desire.