Hi!
> just a thought... wouldn't it make sense to add an option to "tcp-request > connection reject" to disable the actual TCP RST? I don't see how. The socket is immediately close()'ed when it hits "tcp-request connection reject", this is as cheap as it gets. > So, an attacker tries to (keep) open a lot of ports: There are no open ports, "tcp-request connection reject" closes sockets. > a) HAProxy (configured with rate limiting etc.) does a "tcp-request > connection reject" which ends up as a TCP RST. The attacker gets the > RST and immediately again Are you saying that an attacker retransmits faster because of the RST? Thats nonsense, an attacker doesn't care about the RST at all. > b) the same as a) but the socket will be closed on the server side but no RST, > nothing will be sent back to the remote side. The connections on the remote > side > will be kept open until timeout. An attacker doesn't keeps states on his local machine if his intention is to SYN flood you. > When we close the connection on our local side but don't notify > the remote side it will probably exhaust the attacker No, really, its not. Haproxy cannot decide whether the TCP stack sends a RST after a close() or not, this is the kernels job. Lukas