Hi Baptiste, tarpit is pretty handy but as far as I understood it will keep the connection open, on both sides. So at some point (pretty quickly actually) we cannot handle any more connections on that host. The host will become slow and/or unresponsive. When we close the connection on our local side but don't notify the remote side it will probably exhaust the attacker and we could handle more connections and/or free and re-use such connections that has been classified too much.
On 01/14/2015 05:28 PM, Baptiste wrote: > On Wed, Jan 14, 2015 at 5:00 PM, Christian Ruppert <c.rupp...@babiel.com> > wrote: >> Hey guys, >> >> just a thought... wouldn't it make sense to add an option to "tcp-request >> connection reject" to disable the actual TCP RST? So, an attacker tries to >> (keep) open a lot of ports: >> >> a) HAProxy (configured with rate limiting etc.) does a "tcp-request >> connection >> reject" which ends up as a TCP RST. The attacker gets the RST and >> immediately again >> b) the same as a) but the socket will be closed on the server side but no >> RST, >> nothing will be sent back to the remote side. The connections on the remote >> side >> will be kept open until timeout. >> >> Wouldn't it make sense to implement an option for b) so it can be used during >> major attacks or so? >> > > Hi Christian, > > Have you had a look at tarpit related options from HAProxy? > You can slowdown the attack thanks to it. > > Baptiste > -- Mit freundlichen Grüßen, Christian Ruppert Systemadministrator ...................................................................................................................... Babiel GmbH Erkrather Str. 224 a D-40233 Düsseldorf Tel: 0211-179349 0 Fax: 0211-179349 29 c.rupp...@babiel.com http://www.babiel.com GESCHÄFTSFÜHRER Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht Düsseldorf HRB 38633 DISCLAIMER The information transmitted in this electronic mail message may contain confidential and or privileged materials. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive such e-mails in error, please contact the sender and delete the material from any computer.