Hey, You can have a look to this article to match too many attempts on a login page :) http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
I don't have any time right now, but I'll write this kind of configuration example later if you can't manage to make it work. cheers On Tue, Mar 13, 2012 at 3:02 PM, Vivek Malik <[email protected]> wrote: > Haproxy 1.5 has src_conn_rate which can be used for that. I personally > haven't used it. I just remember reading about it. > > Vivek > > On Tue, Mar 13, 2012 at 8:30 AM, Jerry Champlin > <[email protected]> wrote: >> >> One way to do this is to find it in the logs with a script and then have >> that script apply a black hole rule to iptables. As a matter of course, we >> use a similar approach to block rapid failed login attempts on servers with >> public facing ssh. It works very well. >> >> -Jerry >> >> Jerry Champlin >> Absolute Performance Inc. >> Phone: 303-565-4401 >> -- >> Enabling businesses to deliver critical applications at lower cost and >> higher value to their customers. >> >> >> >> On Tue, Mar 13, 2012 at 2:57 AM, fred hu <[email protected]> wrote: >>> >>> Hi, All >>> >>> We are using haproxy since 2009 for LB. >>> >>> Recently we encountered some malicious clients sending request on same >>> URL with especially high rate ( 100r/s and lasting for some minutes) >>> Is there any possibility to block such user while keep serving the normal >>> clients? (Surly We have no idea on malicious users ip before (s)he attacks) >>> I read the configuration manual and find we have >>> fe_sess_rate/be_sess_rate ACLs. But it seems for all clients. >>> >>> So, my question here is : Can we find/block a malicious user based on his >>> request rate? >>> >>> Thx! >>> >>> -- >>> Fred Hu >>> Best Regards >>> >> >
