Mitigate DDoS attack with HAProxy [duplicate]

apache-2.2 ddos haproxy squid

Solution 1:

I think you're going after the wrong potential fix for this scenario. If you're being DDoSed then the only real route of mitigation you have is to talk to your upstream providers and get them to null-route/blackhole the traffic before it gets to your network. Otherwise, no matter what you do, it'll still be reaching the edge of your network, and potentially (probably) saturating the connection at your end.

The only thing to do is to have it blocked before it reaches the edge of your network. Any kind of DDoS mitigation scenario is unlikely to be as useful, as the traffic has to get onto your network before it can be ignored/blocked/dropped. As a result, it'll still eat your bandwidth.

Solution 2:

In addition, simply increasing the number of available workers can make the problem worse if you don't actually have enough memory available for all those child processes. You'll start swapping to disk and your machine will grind to a halt. Surprised that no one mentioned mod_evasive or mod_security, too; having some automated heuristics to block access to computationally-expensive resources helps quite a bit in the case where you upstream won't or can't nullroute.

EDIT: this was a comment, but I turned it into an answer per @Tom O'Connor's suggestion.

Related

Bash Extended Globbing gives syntax error
How often should we expect 400 Bad Request?
What do I lose by running Exchange 2010 in a Windows 2003 Active Directory Domain?
How can I verify whether or not Windows Server 2008 R2 has SP1 installed?
Blackhole route private intranet traffic
Simple program or script to check load time of web page [closed]
How to prevent going to SWAP?
Windows 7 Command Line Prompt
Is the firewall on Windows Server 2008 R2 sufficient?
How to configure CentOS Iptables without getting locked out
iptables input, output, forward
Why does Sql server write 100's of files to System Volume Information (all with the same name)