On Sat, Jan 23, 2010 at 04:59:05PM +0100, Andrew Azarov wrote: > Is there any possibility to add freebsd accept filter? recently a sin > flood made our haproxy die of high amount of ram being used...
If it was a SYN flood, it would not change anything, because haproxy does not get notified until the connection is completely established, so it means that it was the system which ran out of memory due to the number of allocated sockets. That seems very strange to me, as a SYN does not cost much. Most likely you got a connection flood or a slowloris attack. Also, it means that you have misconfigured your global and listen maxconn values, as you should always ensure that when all connections are established, you cannot run out of memory. You can also limit the maximum amount of allocatable memory using the -m command line parameter. Right now there is no support for accept filters but I think it might not be too difficult to implement. However, I tend to think that it's the wrong response to such an attack, as the connections are still allocated in the kernel and still use memory. The best solution is to set the "timeout http-request" to a reasonably low value (eg: 3-5 seconds) so that connections are quickly dropped if unused. At 3 seconds, you will only allocate 30000 connections max at 10000 connections per second, which is not *that* much. Several sites run much higher on servers which are now as beefy as recent laptops. Last, using "rate-limit sessions", you can limit the rate at which connections are established. So in theory you have everything required to ensure your process never runs out of resources. At worst, it will degrade the service if you set the limits too low or the attack is too strong. Willy
