When using HAProxy’s stick-table rate limiting feature to protect from bots, how does this impact people coming from large shared IP networks?
For example, college campuses networks that use one or few shared IPs.
If a number of college students on that same shared IP network accessed the HAProxy bot protected stick-table website, would HAProxy detect these legit site visitors as a single IP client & take mitigation action against them based on the rate limiting settings? Or would they properly be detected as legit individual website visitors despite being on the same IP?
It depends on the key you set for stickiness (https://docs.haproxy.org/dev/configuration.html#4.2-stick%20match). If it’s source ip (src fetch), then all computers from the network may be considered as a single client. If it’s source_ip+source_port combination, cookie or browser signature then it will allow to see them distinctively.
Thanks for that info and for the link. I’m sure it will all be quite helpful as I figure out how to sort out my HAProxy configs. The IP+other combo options seem like they may be a good option.
If you are trying to protect against attackers, you will have to avoid using attacker provided data to distinguish users.
I don’t see how tracking source_ip+source_port will still make rate limiting work in a satisfactory way, you are basically doing rate limiting per connection.
If you add HTTP headers like User-Agent or Cookies, than rate limit won’t even work per connection and the attacker controls when rate-limits apply. You may as well remove rate limiting altogether at this point, because any attacker would be able to easily circumvent it.
The only way is perhaps to track a specific session id cookie of your application, if the authentication is non trivial for bots.