How to enable DDoS protection?

Hi there,

I’m using HAP on and off for a bit now and now I’m trying confgure DDoS protection per frontend, to block a connection for 5 mints, if it receives more than 200 requests per second from the same source IP, taking the fact into account that mutiple source-ips can/will be used to launch the attack. I looked into various blogposts and posts in the Internet and more I see I get more confused about the correct counfig that I need to have for my purpose.

Below are the all the configurations that I have collected so far:

backend ip_rates_abuse
  stick-table type ip size 200k expire 5m store gpc0,conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)

frontend fe_dev_mydomain_com
  ## ----- TCP Layer DDoS protection ------------ ##
  timeout       tarpit 15s
  tcp-request   inspect-delay 5s
  tcp-request   content reject if { src_conn_rate(ip_rates_abuse) ge 200 }
  tcp-request   content reject if { src_conn_cur(ip_rates_abuse) ge 500 }
  tcp-request   content reject if { src_get_gpc0(ip_rates_abuse) gt 0 }
  tcp-request   session track-sc0 src table ip_rates_abuse
  acl           too_many_reqs sc_http_req_rate(0) gt 200
  http-request  set-var(txn.ratelimited) str(RATE-LIMITED) if too_many_reqs
  http-request  capture var(txn.ratelimited) len 12
  http-request  deny deny_status 429 if too_many_reqs
  use_backend   be_waf if no_tarpit || tarpit_max_capacity

and then in the backend:

backend be_waf
  acl          too_many_clicks sc1_http_req_rate gt 200
  acl          mark_as_abuser sc0_inc_gpc0(ip_rates_abuse) gt 0
  tcp-request  content track-sc1 src table ip_rates_abuse
  tcp-request  content reject if too_many_clicks mark_as_abuser

I’m pretty sure I didn’t understand a number of things but did I do it right? Looks like a bit overdoing to me and seems not working either. Can anyone suggest me the minimum config that I should have to achieve my goal pls?

Not sure if it helps in this context but this is how my HAP is configured:

  1. The HAP is behind a AWS Network Load-balancer (NLB), running in TCP mode

  2. Multiple sites/domains come in through an universal frontend (fe_https) and then based on the domain, it’s forwarded to the domain specific backend, like this:

    frontend fe_https
      mode              tcp
      option            tcplog
      bind              *:443 tfo accept-proxy
      tcp-request       inspect-delay 5s
      tcp-request       content accept if { req.ssl_hello_type 1 }
      use_backend       be_dev_mydomain_com if { req.ssl_sni -i -m dom }
      use_backend       be_stg_mydomain_com if { req.ssl_sni -i -m dom }
      default_backend   be_tarpit
  3. Those backends then forward the connection to the localhost on a dedicated port per associated domain-specific frontend, like this:

    backend be_dev_mydomain_com
      mode              tcp
      option            tcp-check
      option            tcp-smart-connect
      timeout           queue 15s
      server            dev_mydomain_com check send-proxy-v2
  4. The forntend(s) has all the necessary config to do stuff like TLS offloading, DDoS protection etc. and then it uses an universal backend, to forward the connection to AWS Application Load-balancer (ALB):

    frontend fe_dev_mydomain_com
      bind     tfo accept-proxy ssl ...
      option            http-buffer-request
      option            forwardfor except
      default_backend   be_tarpit
      use_backend       be_waf if no_tarpit || tarpit_max_capacity
    backend be_waf
      option       httpchk
      http-check   expect ! rstatus ^5
      server       aalibc <server_addr>:8080 check resolvers awsdns init-addr last,libc,none

Any help will be greatly appreciated.