Is there any method to block malicious clients
Hi, All We are using haproxy since 2009 for LB. Recently we encountered some malicious clients sending request on same URL with especially high rate ( 100r/s and lasting for some minutes) Is there any possibility to block such user while keep serving the normal clients? (Surly We have no idea on malicious users ip before (s)he attacks) I read the configuration manual and find we have fe_sess_rate/be_sess_rate ACLs. But it seems for all clients. So, my question here is : Can we find/block a malicious user based on his request rate? Thx! -- *Fred Hu* *Best Regards*
Re: Is there any method to block malicious clients
One way to do this is to find it in the logs with a script and then have that script apply a black hole rule to iptables. As a matter of course, we use a similar approach to block rapid failed login attempts on servers with public facing ssh. It works very well. -Jerry Jerry Champlin Absolute Performance Inc. Phone: 303-565-4401 -- Enabling businesses to deliver critical applications at lower cost and higher value to their customers. On Tue, Mar 13, 2012 at 2:57 AM, fred hu frederick...@gmail.com wrote: Hi, All We are using haproxy since 2009 for LB. Recently we encountered some malicious clients sending request on same URL with especially high rate ( 100r/s and lasting for some minutes) Is there any possibility to block such user while keep serving the normal clients? (Surly We have no idea on malicious users ip before (s)he attacks) I read the configuration manual and find we have fe_sess_rate/be_sess_rate ACLs. But it seems for all clients. So, my question here is : Can we find/block a malicious user based on his request rate? Thx! -- *Fred Hu* *Best Regards*
Re: Is there any method to block malicious clients
Haproxy 1.5 has src_conn_rate which can be used for that. I personally haven't used it. I just remember reading about it. Vivek On Tue, Mar 13, 2012 at 8:30 AM, Jerry Champlin j...@absolute-performance.com wrote: One way to do this is to find it in the logs with a script and then have that script apply a black hole rule to iptables. As a matter of course, we use a similar approach to block rapid failed login attempts on servers with public facing ssh. It works very well. -Jerry Jerry Champlin Absolute Performance Inc. Phone: 303-565-4401 -- Enabling businesses to deliver critical applications at lower cost and higher value to their customers. On Tue, Mar 13, 2012 at 2:57 AM, fred hu frederick...@gmail.com wrote: Hi, All We are using haproxy since 2009 for LB. Recently we encountered some malicious clients sending request on same URL with especially high rate ( 100r/s and lasting for some minutes) Is there any possibility to block such user while keep serving the normal clients? (Surly We have no idea on malicious users ip before (s)he attacks) I read the configuration manual and find we have fe_sess_rate/be_sess_rate ACLs. But it seems for all clients. So, my question here is : Can we find/block a malicious user based on his request rate? Thx! -- *Fred Hu* *Best Regards*
Re: Is there any method to block malicious clients
Hey, You can have a look to this article to match too many attempts on a login page :) http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ I don't have any time right now, but I'll write this kind of configuration example later if you can't manage to make it work. cheers On Tue, Mar 13, 2012 at 3:02 PM, Vivek Malik vivek.ma...@gmail.com wrote: Haproxy 1.5 has src_conn_rate which can be used for that. I personally haven't used it. I just remember reading about it. Vivek On Tue, Mar 13, 2012 at 8:30 AM, Jerry Champlin j...@absolute-performance.com wrote: One way to do this is to find it in the logs with a script and then have that script apply a black hole rule to iptables. As a matter of course, we use a similar approach to block rapid failed login attempts on servers with public facing ssh. It works very well. -Jerry Jerry Champlin Absolute Performance Inc. Phone: 303-565-4401 -- Enabling businesses to deliver critical applications at lower cost and higher value to their customers. On Tue, Mar 13, 2012 at 2:57 AM, fred hu frederick...@gmail.com wrote: Hi, All We are using haproxy since 2009 for LB. Recently we encountered some malicious clients sending request on same URL with especially high rate ( 100r/s and lasting for some minutes) Is there any possibility to block such user while keep serving the normal clients? (Surly We have no idea on malicious users ip before (s)he attacks) I read the configuration manual and find we have fe_sess_rate/be_sess_rate ACLs. But it seems for all clients. So, my question here is : Can we find/block a malicious user based on his request rate? Thx! -- Fred Hu Best Regards