On Mon, Aug 22, 2011 at 06:26:01PM +0000, Svancara, Randall wrote: > This is nothing new as brute force DOS attacks have been around for a while. > I am not sure this is an HA-Proxy feature or more of a MOD_SECURITY/iptables > feature. Simple iptables rate limiting would be sufficient in thwarting this > attack. For example, > > I am using this for SSH now, but very applicable to a web server, change the > ports and hitcount to a number that is more appropriate for a webserver, like > 40 in 10 seconds. > > # Drop those nasty brute force SSH attempts and log them > $IPTABLES -A INPUT -p tcp --dport 22 -i $EXTIF -m state --state NEW -m recent > --set > $IPTABLES -A INPUT -p tcp --dport 22 -i $EXTIF -m state --state NEW -m > recent --update --seconds 60 --hitcount 4 -j SSHBRUTEDROP > > I am using the above code to block ssh brute force attempts.
Doing so is already possible with haproxy but this has nothing to do with the attack, as it's not a matter of request rate but memory exhaustion on the server due to a vulnerability. Regards, Willy
