Hi All,
Some time ago I created a small patch for haproxy 1.5 which is acting
in a simmilar way to cloud anti dos CAPTHA pages
(https://github.com/lazy404/haproxy/compare/ddos)
The idea is that when the site is attacked by bots sending http requests,
haproxy sends them a webpage with some javascript which is setting a cookie
with a product of some simple calculations.
Usually simple ddos bot's aren't capable of passing this kind of
defences. Magic number
depends on bot ip address so adding a static cookie header won't do.
On the next request if the cookie value is correct (it's based on
client ip and some random secret)
client will be whitelisted. If the number is wrong for a number of
times the client get's
banned and it's connections are getting rejected (an external script
can pick up those
addresses and add them to an external firewall or iptables).
The code is based auth.
From my lab tests and some short real word attacks it "works good
enough" for me, I know that the
cookie_auth name is misleading, and number generation might be
vulnerable to secret leakage,
there are no docs, and the code is not up to haproxy standards in many places.
I plan on adding some features to it I might as well try to clean the
code, add documentation, rename
if this kind of feature might be welcomed in haproxy.
Regards,
Michal
Some time ago I created a small patch for haproxy 1.5 which is acting
in a simmilar way to cloud anti dos CAPTHA pages
(https://github.com/lazy404/haproxy/compare/ddos)
The idea is that when the site is attacked by bots sending http requests,
haproxy sends them a webpage with some javascript which is setting a cookie
with a product of some simple calculations.
Usually simple ddos bot's aren't capable of passing this kind of
defences. Magic number
depends on bot ip address so adding a static cookie header won't do.
On the next request if the cookie value is correct (it's based on
client ip and some random secret)
client will be whitelisted. If the number is wrong for a number of
times the client get's
banned and it's connections are getting rejected (an external script
can pick up those
addresses and add them to an external firewall or iptables).
The code is based auth.
From my lab tests and some short real word attacks it "works good
enough" for me, I know that the
cookie_auth name is misleading, and number generation might be
vulnerable to secret leakage,
there are no docs, and the code is not up to haproxy standards in many places.
I plan on adding some features to it I might as well try to clean the
code, add documentation, rename
if this kind of feature might be welcomed in haproxy.
Regards,
Michal