On 18/10/2017 01:06 μμ, Pooja Patel wrote: > Respected Sir, > > I am Pooja from University of Hyerabad. Currently I am working on networking > project for which I am > using HAProxy as a load balancer. I have one doubt and that is: > > *Does HAProxy by default protect itself from DOS or TCP SYN flood attack? If > not then how can > protect it from these attacks? > * > > I have done simulation on my server using hping3 and hynae tool by flooding > HAProxy server with TCP > SYN packets but I am not able to see any changes in my statistics. > > Kindly go through my questions and Waiting for your reply. >
Before a TCP connection is handled by HAProxy, the Linux kernel processes it. So, you need to look at defense mechanisms there. Newer kernels (see 4.9 and higher) provide very good ways to handle TCP Syn flooding, one of them is about lockless listener, see commits https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4d54d86546f62c7c4a0fe3b36a64c5e3b98ce1a9 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6934f3ec00b04234acb24a1a2c28af59763d3b5 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c3fc7ac9a0b978ee8538058743d21feef25f7b33 With above patches CPU utilization stays the same when a server is under TCP Syn flood, while older kernels suffer from CPU saturation. Cheers, Pavlos
signature.asc
Description: OpenPGP digital signature