What scanner did you use?
-----Original Message-----
From: Jim Freeman [[email protected]]
Received: Monday, 19 Jun 2017, 3:36PM
To: HAProxy [[email protected]]
Subject: in-house vulnerability scan vs. stats socket
FWIW / FYI -
# haproxy -v
HA-Proxy version 1.5.18 2016/05/10
An in-house vulnerability scanner found our haproxy stats sockets and
started probing, sending bogus requests, HTTP_* methods, etc.
The many requests, even though the request paths were not valid at the
stats socket, made for a DoS attack (with haproxy's CPU consumption
often pegging at 100% generating stats pages).
Since it looks like the only valid stats socket requests are GETs to
'/' (with possible ';', '#', and '?' modifiers), we ameliorated the
in-house DoS using these 2 lines in the cfg for the stats socket :
http-request tarpit unless { path_reg ^/($|\?|\#|\;) }
http-request tarpit unless METH_GET # silent-drop > 1.5
________________________________
Information in this e-mail may be confidential. It is intended only for the
addressee(s) identified above. If you are not the addressee(s), or an employee
or agent of the addressee(s), please note that any dissemination, distribution,
or copying of this communication is strictly prohibited. If you have received
this e-mail in error, please notify the sender of the error.
