On Wed, Jan 14, 2015 at 5:00 PM, Christian Ruppert <c.rupp...@babiel.com> wrote: > Hey guys, > > just a thought... wouldn't it make sense to add an option to "tcp-request > connection reject" to disable the actual TCP RST? So, an attacker tries to > (keep) open a lot of ports: > > a) HAProxy (configured with rate limiting etc.) does a "tcp-request connection > reject" which ends up as a TCP RST. The attacker gets the RST and immediately > again > b) the same as a) but the socket will be closed on the server side but no RST, > nothing will be sent back to the remote side. The connections on the remote > side > will be kept open until timeout. > > Wouldn't it make sense to implement an option for b) so it can be used during > major attacks or so? >
Hi Christian, Have you had a look at tarpit related options from HAProxy? You can slowdown the attack thanks to it. Baptiste
