Hello,
We experienced a specific behaviour with HAProxy (1.5.12) and would like to
share what happened, and see what can be done.
Simplified configuration :
defaults
default-server maxconn 2000
backlog 16384
listen webcustomer:80
id 12
balance source
hash-type consistent
mode http
option http-keep-alive
option prefer-last-server
balance uri
bind X.X.X.X:80
maxconn 30000
rate-limit sessions 5000
server s100 X.X.X.X:80 check weight 5
server s101 X.X.X.X:80 check weight 5
server s102 X.X.X.X:80 check weight 5
We experienced what looked like a very simple DOS, with a single source IP
sending thousands of complete HTTP requests.
With the configuration above, all trafic was sent to server s100 because we
have balance=source.
This server hit the maxconn setting. Further connections get piled up in
queue ('Queue cur' in stats block).
This affects the attacker, but also all other clients bind to this server
(so one IP out of three approximately).
I wonder how we could mitigate this issue. I see several answers :
1) add a rate-limit per IP address (or block of continuous IP) with stick
tables. Any feedback on this and how you handle legitimate robots like
GoogleBot ?
2) tell HAProxy "if maxconn is reached, scale out on other backends" (do
not know how to write this one, and could potentially be more dangerous :
all cluster will be affected instead of 1/3rd).
Any other ideas ?
Olivier
We experienced a specific behaviour with HAProxy (1.5.12) and would like to
share what happened, and see what can be done.
Simplified configuration :
defaults
default-server maxconn 2000
backlog 16384
listen webcustomer:80
id 12
balance source
hash-type consistent
mode http
option http-keep-alive
option prefer-last-server
balance uri
bind X.X.X.X:80
maxconn 30000
rate-limit sessions 5000
server s100 X.X.X.X:80 check weight 5
server s101 X.X.X.X:80 check weight 5
server s102 X.X.X.X:80 check weight 5
We experienced what looked like a very simple DOS, with a single source IP
sending thousands of complete HTTP requests.
With the configuration above, all trafic was sent to server s100 because we
have balance=source.
This server hit the maxconn setting. Further connections get piled up in
queue ('Queue cur' in stats block).
This affects the attacker, but also all other clients bind to this server
(so one IP out of three approximately).
I wonder how we could mitigate this issue. I see several answers :
1) add a rate-limit per IP address (or block of continuous IP) with stick
tables. Any feedback on this and how you handle legitimate robots like
GoogleBot ?
2) tell HAProxy "if maxconn is reached, scale out on other backends" (do
not know how to write this one, and could potentially be more dangerous :
all cluster will be affected instead of 1/3rd).
Any other ideas ?
Olivier