Proxy Solutions can be used in front of the Appliance to provide an extra layer of protection against attacks (as well as High availability and load balancing) such as:
- DOS / DDOS attacks
SYN Flood attacks
Slow DOS (SlowLoris) attacks
There are a number of solutions that can be used here such as the open source Squid, HAProxy, and other commercial solutions.
HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications.
It is particularly suited for web sites which receive very high loads while needing persistence or Layer7 processing.
HA Proxy can also be configured to help mitigate potential attacks.
If you are running your own Load Balancer based on HAProxy, look at the sysctl below (edit /etc/sysctl.conf with regards to mitigation of SYN Flood attacks.
# Protection SYN flood
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 1024
Note: If the attack is very large and saturates internet bandwidth, the only solution is to ask the internet access provider to null route the attackers IP’s on its core network.
For Slow DOS (SlowLoris) attacks clients will slowly send requests to a server, header by header, or character by character, waiting la ong time between each of them and the server have to wait until the end of the request to process, and send back the response.
The purpose of the attack is to prevent regular use of the service as the attacker is using all the available resources with these very slow requests.
In order to protect against this kind of attack setup the HAProxy option “timeout http-request”. It can set to 5s, which should be long enough.. This simply tells HAProxy to give a 5 second time limit to a client to send its whole HTTP request, otherwise HAProxy will shut the connection with an error.
HAProxy can be quite a comprehensive solution as a defense for attacks and is in use in many companies and ISP’s. A good place for further information is: