This is nothing new as brute force DOS attacks have been around for a while. I am not sure this is an HA-Proxy feature or more of a MOD_SECURITY/iptables feature. Simple iptables rate limiting would be sufficient in thwarting this attack. For example,
I am using this for SSH now, but very applicable to a web server, change the ports and hitcount to a number that is more appropriate for a webserver, like 40 in 10 seconds. # Drop those nasty brute force SSH attempts and log them $IPTABLES -A INPUT -p tcp --dport 22 -i $EXTIF -m state --state NEW -m recent --set $IPTABLES -A INPUT -p tcp --dport 22 -i $EXTIF -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j SSHBRUTEDROP I am using the above code to block ssh brute force attempts. --Randall -----Original Message----- From: Levente Peres [mailto:sheri...@eurosystems.hu] Sent: Monday, August 22, 2011 9:54 AM To: haproxy@formilux.org Subject: Defending against the "Apache killer" Hello, There're a number of webserver-mace apps on the net, the newest that I heard of being the so called "Apache killer" script I saw a few days agon on Full disclosure... Here you can see a demonstration of what it does. Also, I've attached the script itself. http://www.youtube.com/watch?v=fkCQZaVjBhA I believe we should discuss some possibilities about how to configure HAProxy to protect Apache backends as much as possible, or at least mitigate such attacks? Any ideas? Cheers, Levente
