Hi Christopher, thank you for the hint, I'm aware of the different ways to mitigate DDoS with rate limits etc., I was just curious about the pipelining vector. :)
http://www.haproxy.org/download/2.4/doc/configuration.txt says: " By default HAProxy operates in keep-alive mode with regards to persistent connections: for each connection it processes each request and response, and leaves the connection idle on both sides between the end of a response and the start of a new request. This mode may be changed by several options such as "option http-server-close" or "option httpclose". Setting "option http-server-close" enables HTTP connection-close mode on the server side while keeping the ability to support HTTP keep-alive and pipelining on the client side." "1.1. The HTTP transaction model" and " timeout http-keep-alive" also mention pipelining. So I guess I did just misunderstand the documentation and it would be nice to just clarify it in the docs that haproxy does not support HTTP/1.1 pipelining. Best regards, Stefan Behte -----Ursprüngliche Nachricht----- Von: Christopher Faulet <cfau...@haproxy.com> Gesendet: Montag, 20. September 2021 19:04 An: Stefan Behte <s.be...@babiel.com>; haproxy@formilux.org Betreff: Re: Disabling HTTP/1.1 pipelining Le 9/17/21 à 1:20 PM, Stefan Behte a écrit : > Hi everyone, > > surely many on this list have heard about the meris botnet > (https://krebsonsecurity.com/2021/09/krebsonsecurity-hit-by-huge-new-iot-botnet-meris/) > > which uses HTTP/1.1 pipelining for layer 7 attacks. > > As far as I can see, it's not possible to disallow HTTP pipelining in > haproxy, > so the best possibility could be "option httpclose"? > > Of course, this does not solve everything when a ~100k botnet is attacking, > but > it could ease the initial load / mitigate the pipelining vector a bit, as the > attack clients have longer RTT. > > Or maybe I am missing something? > Hi, HAproxy does not support HTTP pipelining. But it may be configured to mitigate ddos attack. There are several mechanisms that you can use, depending on your applications. A quick search on the net about "haproxy ddos prevention" will give you several hints. Regards, -- Christopher Faulet