On Mon, Jun 19, 2017 at 3:34 PM, Jim Freeman <[email protected]> wrote:
> FWIW / FYI - > > # haproxy -v > HA-Proxy version 1.5.18 2016/05/10 > > An in-house vulnerability scanner found our haproxy stats sockets and > started probing, sending bogus requests, HTTP_* methods, etc. > > The many requests, even though the request paths were not valid at the > stats socket, made for a DoS attack (with haproxy's CPU consumption > often pegging at 100% generating stats pages). > > Since it looks like the only valid stats socket requests are GETs > > Possible point of clarification, it sounds like you're referring to a listener/frontend with stats enabled. The stats socket <http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#9.2> doesn't speak http.
