Hi Christopher,
thank you for the hint, I'm aware of the different ways to mitigate DDoS with
rate limits etc., I was just curious about the pipelining vector. :)
http://www.haproxy.org/download/2.4/doc/configuration.txt says:
" By default HAProxy operates in keep-alive mode with regards to persistent
connections: for each connection it processes each request and response, and
leaves the connection idle on both sides between the end of a response and
the start of a new request. This mode may be changed by several options such
as "option http-server-close" or "option httpclose". Setting "option
http-server-close" enables HTTP connection-close mode on the server side
while keeping the ability to support HTTP keep-alive and pipelining on the
client side."
"1.1. The HTTP transaction model" and " timeout http-keep-alive" also mention
pipelining.
So I guess I did just misunderstand the documentation and it would be nice to
just clarify it in the docs that haproxy does not support HTTP/1.1 pipelining.
Best regards,
Stefan Behte
-Ursprüngliche Nachricht-
Von: Christopher Faulet
Gesendet: Montag, 20. September 2021 19:04
An: Stefan Behte ; haproxy@formilux.org
Betreff: Re: Disabling HTTP/1.1 pipelining
Le 9/17/21 à 1:20 PM, Stefan Behte a écrit :
> Hi everyone,
>
> surely many on this list have heard about the meris botnet
> (https://krebsonsecurity.com/2021/09/krebsonsecurity-hit-by-huge-new-iot-botnet-meris/)
>
> which uses HTTP/1.1 pipelining for layer 7 attacks.
>
> As far as I can see, it's not possible to disallow HTTP pipelining in
> haproxy,
> so the best possibility could be "option httpclose"?
>
> Of course, this does not solve everything when a ~100k botnet is attacking,
> but
> it could ease the initial load / mitigate the pipelining vector a bit, as the
> attack clients have longer RTT.
>
> Or maybe I am missing something?
>
Hi,
HAproxy does not support HTTP pipelining. But it may be configured to mitigate
ddos attack. There are several mechanisms that you can use, depending on your
applications. A quick search on the net about "haproxy ddos prevention" will
give you several hints.
Regards,
--
Christopher Faulet