FWIW / FYI -
# haproxy -v
HA-Proxy version 1.5.18 2016/05/10
An in-house vulnerability scanner found our haproxy stats sockets and
started probing, sending bogus requests, HTTP_* methods, etc.
The many requests, even though the request paths were not valid at the
stats socket, made for a DoS attack (with haproxy's CPU consumption
often pegging at 100% generating stats pages).
Since it looks like the only valid stats socket requests are GETs to
'/' (with possible ';', '#', and '?' modifiers), we ameliorated the
in-house DoS using these 2 lines in the cfg for the stats socket :
http-request tarpit unless { path_reg ^/($|\?|\#|\;) }
http-request tarpit unless METH_GET # silent-drop > 1.5
# haproxy -v
HA-Proxy version 1.5.18 2016/05/10
An in-house vulnerability scanner found our haproxy stats sockets and
started probing, sending bogus requests, HTTP_* methods, etc.
The many requests, even though the request paths were not valid at the
stats socket, made for a DoS attack (with haproxy's CPU consumption
often pegging at 100% generating stats pages).
Since it looks like the only valid stats socket requests are GETs to
'/' (with possible ';', '#', and '?' modifiers), we ameliorated the
in-house DoS using these 2 lines in the cfg for the stats socket :
http-request tarpit unless { path_reg ^/($|\?|\#|\;) }
http-request tarpit unless METH_GET # silent-drop > 1.5