Greetings,
Answers inline.
On 02/16/2018 08:03 AM, Stefan Magnus Landrø wrote:
Hi guys,
We're using using some of the DDOS features found ini haproxy (e.g.
https://www.haproxy.com/blog/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/)
We've performed some basic testing using apache bench, and get
expected results (connections get droped etc).
Be careful with tarpitting as it will eat file descriptors and source
ports. I recommend http-request deny in most cases as with distributed
attacks they can easily run you out of them. In some cases
"http-request silent-drop" can help with a similar effect, but beware of
unintended consequences (other stateful devices in your network that you
could unintentionally DoS).
Also ensure your kernel is tuned with settings like tw_reuse and an
increased source port range.
Is there a better way to make sure the configuration works as expected?
First step to do that is to find what the specific bottleneck your
hitting is; dropping connections is a symptom with many potential causes.
Can we somehow monitor the number of requests that get tarpitted or
connectionis that get dropped, or is this info not collected/exposed
by haproxy at all?
My favorite log field, the termination state, will be of interest to
you. The first two characters will be LT for a tarpitted request
(https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8.5).
You will also want to be sure you are graphing the dreq field (and many
of the others) from the status page
(https://cbonte.github.io/haproxy-dconv/1.8/management.html#9.1).
- Chad
BTW - using haproxy 1.8.4 alpine image
Cheers
Stefan
