HAProxy community

DDoS attack & infrastructure disclosing thru unencoded cookie

Hi HAproxy gurus!

Some time ago I read about possibility to obtain backend servers IPs, infrastructure disclosing (and possible attacks like DDoS) by using simple operation to decoding session cookies.

In short this method is about HTTP cookie insert type is common used in cookie persistence method for HTTP traffic.
And this is common used setup (and not only in F5 balancers) because of easiness - all cookies was generated on balancer and each of backend servers not need to be setup to answering by server-specific cookie.

After attacker obtain backend server IP, a ton or traffic sending to them -> balancer exclude backend server from pool -> attacker obtain NEXT backend server IP and a ton or traffic sending to them -> balancer exclude backend server from pool -> and again and again

Of course, after some time balancer include back previously excluded backend to servers pool, but before this service Quality degrade, and in some cases this is cost a lot of money to company…

How the HAproxy is guarded from this types of infrastructure disclosing ?