DDOS protection using rate limits


we are planning to implement rate limits at the haproxy layer to prevent DDOS attacks. I knew DDOS prevention is challenging due to the nature of the attack. To prevent DDOS attacks, we should have multiple layers of checks and balances.

We are thinking to leverage haproxy rate limits as one way to prevent or reduce the attack surface. We have HAProxy acting as an HTTP proxy with SSL termination. We host hundreds of applications and the traffic scale is very high, each application has its own hostname and goes via HAPROXY to backend kuberntes ingress/services.

HAPROXY has a single front end and back end. I come up with the below configuration and working as expected in the dev environment.

acl whitelist src monitoring1_ip, monitoring2_ip

stick-table type ip size 100k expire 30s store http_req_rate(30s)
tcp-request content track-sc0 src if !{whitelist} or !{METH_POST}
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 1000 }

Identifying the correct number to deny is challenging. if we keep the higher number, it defeats the DDOS purpose. keeping a small number will stop genuine traffic. I was looking into logs and analyzing the average count coming on any given day or hour.

apart from number tuning, do you have any recommendations to tune this configuration further? I am allowing a few trusted IPs since they are our monitoring nodes and don’t want to apply rate limits to these IPs. I also don’t want to apply rate limits to POST traffic as it creates more problems for genuine traffic