Looking for DDoS protection, found HAProxy


#1

I am going to purchase a VPS and install a Ruby on Rails application with Puma as web server on Ubuntu 16.04
My hosting provider does not offer DDoS protection, so I started to look for open source free to use solutions, and found a useful documentation which also contains HAProxy.
I started to read HAProxy documentation and realized that it is a complex piece of software which functions primarily as load balancer. This might come in handy, however, before proceeding, I would like to be sure if it suits me.

As I said, I was primarily focused on finding DDoS protection, so I would appreciate any suggestion on how to configure HAProxy for this purpose, if any configuration is necessary.

Also, I would need it on a single, stand alone server, serving the same machine on which it is installed. I found many tutorials, at DigitalOcean as elsewhere (at server-world for instance): all of them seem to assume that the machine where HAProxy is installed should only function as frontend for other backend servers. I wonder if HAProxy can be useful if frontend and backend are represented by a single server/machine.

Since I would be using HAProxy on a Ubuntu machine, I wonder if the deb packages come with a logrotate file, if the recommended socat, halog, tcpdump, strace packages are installed with HAProxy or should be installed separately, if HAProxy works in conjunction with iptables or other firewalls, how can I make HAProxy listen to both 80 and 443 ports, if it is possible to use sendmail/mailx to send email alerts…


#2

What haproxy can do is rate-limit and queue connections to your backend applications. That may help in situations where you backend can only handle a specific amount of concurrent requests. As it creates a bottleneck, it may actually have the opposite effect when under DDoS though - lowering the amount of traffic an attacker has to send to your VPS to Deny Service.

Haproxy may also block IPs after they crossed a certain threshold of queries. This can also help with some simple attacks.

What I have to tell you though, despite what the blog post suggests, is that you cannot protect against DDoS on your VPS itself. This is simply impossible, as on a VPS even a small amount of packets per second will probably saturate the underlying hypervisor. An attack for a few dollars will be able to flood your VPS with traffic making it unreachable.

DoS is a very complex topic, do not believe you can fix it just by adding another layer of complexity. That is not how you mitigate DoS.

What I would suggest:

  • put HTTP/HTTPS servers behind services like Cloudflare or Cloudfront, generic CDNs are also fine
  • buy VPS from vendors that provide AND have experience mitigating large scale attacks. One such provider is OVH.

#3

@lukastribus, to tell the truth I was starting to doubt that my decision to spare some little money was worth risking to deal myself with DoS attacks, and of course charging my server with extra work did not seem after all a good idea.

Thank you for your suggestions.
OVH was my first choice when I realized that their client support is really poor: that was the reason why I was pushed to look for alternative solutions. I spent weeks to get replies via tickets, usually their time response was 5/6 days and they did not answer to my questions, having to deal only with sales representatives who did not understand technical questions and had no answers. So my attention was attracted by providers that offer chat support, and generally speaking better client support.

I apologize for this digression, but this is the first time I got the chance to speak about it.


#4

No need to apologize, this is definitely a questions that is relevant in the context of haproxy deployments, its just very complex and not something a single VPS can handle.