Dunno - not in my purview ...
On Mon, Jun 19, 2017 at 1:40 PM, Gibson, Brian (IMS) <[email protected]> wrote:
> What scanner did you use?
>
> -----Original Message-----
> From: Jim Freeman [[email protected]]
> Received: Monday, 19 Jun 2017, 3:36PM
> To: HAProxy [[email protected]]
> Subject: in-house vulnerability scan vs. stats socket
>
> FWIW / FYI -
>
> # haproxy -v
> HA-Proxy version 1.5.18 2016/05/10
>
> An in-house vulnerability scanner found our haproxy stats sockets and
> started probing, sending bogus requests, HTTP_* methods, etc.
>
> The many requests, even though the request paths were not valid at the
> stats socket, made for a DoS attack (with haproxy's CPU consumption
> often pegging at 100% generating stats pages).
>
> Since it looks like the only valid stats socket requests are GETs to
> '/' (with possible ';', '#', and '?' modifiers), we ameliorated the
> in-house DoS using these 2 lines in the cfg for the stats socket :
>
> http-request tarpit unless { path_reg ^/($|\?|\#|\;) }
> http-request tarpit unless METH_GET # silent-drop > 1.5
>
>
> ________________________________
>
> Information in this e-mail may be confidential. It is intended only for the
> addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If you
> have received this e-mail in error, please notify the sender of the error.
