How to enable DDoS protection?

Hi there,

I’m using HAP on and off for a bit now and now I’m trying confgure DDoS protection per frontend, to block a connection for 5 mints, if it receives more than 200 requests per second from the same source IP, taking the fact into account that mutiple source-ips can/will be used to launch the attack. I looked into various blogposts and posts in the Internet and more I see I get more confused about the correct counfig that I need to have for my purpose.

Below are the all the configurations that I have collected so far:

backend ip_rates_abuse
  stick-table type ip size 200k expire 5m store gpc0,conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)

frontend fe_dev_mydomain_com
  .....
  ## ----- TCP Layer DDoS protection ------------ ##
  timeout       tarpit 15s
  tcp-request   inspect-delay 5s
  #
  tcp-request   content reject if { src_conn_rate(ip_rates_abuse) ge 200 }
  tcp-request   content reject if { src_conn_cur(ip_rates_abuse) ge 500 }
  tcp-request   content reject if { src_get_gpc0(ip_rates_abuse) gt 0 }
  tcp-request   session track-sc0 src table ip_rates_abuse
  #
  acl           too_many_reqs sc_http_req_rate(0) gt 200
  http-request  set-var(txn.ratelimited) str(RATE-LIMITED) if too_many_reqs
  http-request  capture var(txn.ratelimited) len 12
  http-request  deny deny_status 429 if too_many_reqs
  .....
  use_backend   be_waf if no_tarpit || tarpit_max_capacity

and then in the backend:

backend be_waf
  acl          too_many_clicks sc1_http_req_rate gt 200
  acl          mark_as_abuser sc0_inc_gpc0(ip_rates_abuse) gt 0
  tcp-request  content track-sc1 src table ip_rates_abuse
  tcp-request  content reject if too_many_clicks mark_as_abuser
  .....

I’m pretty sure I didn’t understand a number of things but did I do it right? Looks like a bit overdoing to me and seems not working either. Can anyone suggest me the minimum config that I should have to achieve my goal pls?

Not sure if it helps in this context but this is how my HAP is configured:

1. The HAP is behind a AWS Network Load-balancer (NLB), running in TCP mode

2. Multiple sites/domains come in through an universal frontend (fe_https) and then based on the domain, it’s forwarded to the domain specific backend, like this:

   frontend fe_https
     mode              tcp
     option            tcplog
     bind              *:443 tfo accept-proxy
     tcp-request       inspect-delay 5s
     tcp-request       content accept if { req.ssl_hello_type 1 }
     use_backend       be_dev_mydomain_com if { req.ssl_sni -i -m dom dev.mydomain.com }
     use_backend       be_stg_mydomain_com if { req.ssl_sni -i -m dom stg.mydomain.com }
     default_backend   be_tarpit
   

3. Those backends then forward the connection to the localhost on a dedicated port per associated domain-specific frontend, like this:

   backend be_dev_mydomain_com
     mode              tcp
     option            tcp-check
     option            tcp-smart-connect
     timeout           queue 15s
     server            dev_mydomain_com 127.0.0.1:9001 check send-proxy-v2
   

4. The forntend(s) has all the necessary config to do stuff like TLS offloading, DDoS protection etc. and then it uses an universal backend, to forward the connection to AWS Application Load-balancer (ALB):

   frontend fe_dev_mydomain_com
     bind              127.0.0.1:9001 tfo accept-proxy ssl ...
     option            http-buffer-request
     option            forwardfor except 127.0.0.1
     ......
     default_backend   be_tarpit
     use_backend       be_waf if no_tarpit || tarpit_max_capacity
   
   backend be_waf
     option       httpchk
     http-check   expect ! rstatus ^5
     server       aalibc <server_addr>:8080 check resolvers awsdns init-addr last,libc,none
   

Any help will be greatly appreciated.

-S