Hi!
> just a thought... wouldn't it make sense to add an option to "tcp-request
> connection reject" to disable the actual TCP RST?
I don't see how. The socket is immediately close()'ed when it hits "tcp-request
connection reject", this is as cheap as it gets.
> So, an attacker tries to (keep) open a lot of ports:
There are no open ports, "tcp-request connection reject" closes sockets.
> a) HAProxy (configured with rate limiting etc.) does a "tcp-request
> connection reject" which ends up as a TCP RST. The attacker gets the
> RST and immediately again
Are you saying that an attacker retransmits faster because of the RST?
Thats nonsense, an attacker doesn't care about the RST at all.
> b) the same as a) but the socket will be closed on the server side but no RST,
> nothing will be sent back to the remote side. The connections on the remote
> side
> will be kept open until timeout.
An attacker doesn't keeps states on his local machine if his intention is to SYN
flood you.
> When we close the connection on our local side but don't notify
> the remote side it will probably exhaust the attacker
No, really, its not.
Haproxy cannot decide whether the TCP stack sends a RST after a close() or not,
this is the kernels job.
Lukas
