AW: Disabling HTTP/1.1 pipelining

2021-09-21 Thread Stefan Behte 
Hi Christopher,

thank you for the hint, I'm aware of the different ways to mitigate DDoS with 
rate limits etc., I was just curious about the pipelining vector. :)

http://www.haproxy.org/download/2.4/doc/configuration.txt says:

" By default HAProxy operates in keep-alive mode with regards to persistent
  connections: for each connection it processes each request and response, and
  leaves the connection idle on both sides between the end of a response and
  the start of a new request. This mode may be changed by several options such
  as "option http-server-close" or "option httpclose". Setting "option
  http-server-close" enables HTTP connection-close mode on the server side
  while keeping the ability to support HTTP keep-alive and pipelining on the
  client side."

"1.1. The HTTP transaction model" and " timeout http-keep-alive" also mention 
pipelining.

So I guess I did just misunderstand the documentation and it would be nice to 
just clarify it in the docs that haproxy does not support HTTP/1.1 pipelining.
 
Best regards,
Stefan Behte

-Ursprüngliche Nachricht-
Von: Christopher Faulet  
Gesendet: Montag, 20. September 2021 19:04
An: Stefan Behte ; haproxy@formilux.org
Betreff: Re: Disabling HTTP/1.1 pipelining

Le 9/17/21 à 1:20 PM, Stefan Behte a écrit :
> Hi everyone,
> 
> surely many on this list have heard about the meris botnet 
> (https://krebsonsecurity.com/2021/09/krebsonsecurity-hit-by-huge-new-iot-botnet-meris/)
>  
> which uses HTTP/1.1 pipelining for layer 7 attacks.
> 
> As far as I can see, it's not possible to disallow HTTP pipelining in 
> haproxy, 
> so the best possibility could be "option httpclose"?
> 
> Of course, this does not solve everything when a ~100k botnet is attacking, 
> but 
> it could ease the initial load / mitigate the pipelining vector a bit, as the 
> attack clients have longer RTT.
> 
> Or maybe I am missing something?
> 
Hi,

HAproxy does not support HTTP pipelining. But it may be configured to mitigate 
ddos attack. There are several mechanisms that you can use, depending on your 
applications. A quick search on the net about "haproxy ddos prevention" will 
give you several hints.

Regards,
-- 
Christopher Faulet

Disabling HTTP/1.1 pipelining

2021-09-17 Thread Stefan Behte 
Hi everyone,

surely many on this list have heard about the meris botnet 
(https://krebsonsecurity.com/2021/09/krebsonsecurity-hit-by-huge-new-iot-botnet-meris/)
 which uses HTTP/1.1 pipelining for layer 7 attacks.
As far as I can see, it's not possible to disallow HTTP pipelining in haproxy, 
so the best possibility could be "option httpclose"?
Of course, this does not solve everything when a ~100k botnet is attacking, but 
it could ease the initial load / mitigate the pipelining vector a bit, as the 
attack clients have longer RTT.

Or maybe I am missing something?

Best regards,
Stefan Behte