Hardening HAProxy Load Balancer against DDOS Attack

HAProxy is one of the leading open source loadbalancer resilient to DOS and DDOS attack. To be used behind CloudFlare for additional layer of protection. since the load balancer is place in front of the platform which filtering out 99% of the attacks, which are managed by script kiddies.
In this article, we’ll see how to take advantage of an HAProxy to protect your website and application against Syn Flood, DOS, DDOS and Slow Post Attack.
To configure haproxy on Ubuntu 14.04 visit here
In you haproxy server, Edit /etc/sysctl.conf file.
# Protection SYN flood=1

net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 1024

Block Slowloris, DOS Attack

Now edit /etc/haproxy/haproxy.conf

global
maxconn 20000 
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy.stat mode 600
daemon

default
mode http
maxconn 19500 # Should be slightly smaller than global maxconn.
timeout http-request 5s
option abortonclose
option http-server-close

To Mitigate Slow POST Attack

Visit Configure Haproxy to Protect from Slow Post Attack

Tune the haproxy configuration as per your requirement to harden from attacks by making complex rules like creating whitelist and blacklist, ACL etc,

World Leading Organization uses Haproxy within the Infrastructure, Click here

Stay tune for more info…

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *