A client’s website is currently under attack, and I’ve been called in to fix it.
A huge number of IPs (easily over 5,000) is constantly hitting /login, presumably trying to bruteforce their way in.
I’ve changed the site so the page returns a 500 error, but they’re not giving up. Obviously this is no good for the real users, who now can’t log in.
Load balancing is done via HAProxy, which I have very little knowledge of (although I have a lot more than I did a few hours ago). I’ve tried lots of sensible things that I’ve found online but none seem to have helped, probably because there is such a big block of IPs performing the attack.
Onto the question, then: How can I reject an IP if it hits /login more than X times in Y seconds?
And, subpoint - how can I see a log of rejections so I know it’s actually working?
Here is a sample of the haproxy.log:
Jun 3 14:24:50 hap-server haproxy: 18.104.22.168:15290 [03/Jun/2017:14:24:49.505] www-https-test~ www-backend/www-03 751/0/202/38/991 500 220 - - ---- 428/428/120/38/0 0/0 "GET /login HTTP/1.1" Jun 3 14:24:50 hap-server haproxy: 22.214.171.124:47804 [03/Jun/2017:14:24:49.505] www-https-test~ www-backend/www-04 751/0/202/38/991 500 220 - - ---- 428/428/119/42/0 0/0 "GET /login HTTP/1.1" Jun 3 14:24:50 hap-server haproxy: 126.96.36.199:53176 [03/Jun/2017:14:24:49.505] www-https-test~ www-backend/www-02 751/0/202/38/991 500 220 - - ---- 428/428/118/38/0 0/0 "GET /login HTTP/1.1"