What exact risk has your penetration test highlighted? If both front and back authentification and authorize your users the right way - it's not clear to me why direct access to the front is good and direct access to the back is not.

Solutions that have been mentioned in the previous answer, like AntiDDOS, Application layer Firewall, AntiBot scoring, etc, are useful. But have to put them before the front and back.