Hi All, Some time ago I created a small patch for haproxy 1.5 which is acting in a simmilar way to cloud anti dos CAPTHA pages (https://github.com/lazy404/haproxy/compare/ddos)
The idea is that when the site is attacked by bots sending http requests, haproxy sends them a webpage with some javascript which is setting a cookie with a product of some simple calculations. Usually simple ddos bot's aren't capable of passing this kind of defences. Magic number depends on bot ip address so adding a static cookie header won't do. On the next request if the cookie value is correct (it's based on client ip and some random secret) client will be whitelisted. If the number is wrong for a number of times the client get's banned and it's connections are getting rejected (an external script can pick up those addresses and add them to an external firewall or iptables). The code is based auth. >From my lab tests and some short real word attacks it "works good enough" for me, I know that the cookie_auth name is misleading, and number generation might be vulnerable to secret leakage, there are no docs, and the code is not up to haproxy standards in many places. I plan on adding some features to it I might as well try to clean the code, add documentation, rename if this kind of feature might be welcomed in haproxy. Regards, Michal
