Protecting Against DDoS Attacks
A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. A distributed denial-of-service (DDoS) is a large-scale DoS attack where the perpetrator uses more than one unique IP address or machines, often from thousands of hosts infected with malware.
Rahti 2's routers are already configured to have some protection against DDoS. The timeout http-request
and others have been added to the default HAProxy router image to protect the cluster against DDoS attacks (for example, slowloris). The current configured values are:
Parameter | Default timeout | Description |
---|---|---|
http-request | 10s | HAProxy gives a client 10 seconds to send its headers HTTP request. http-request manual |
connect | 10s | Set the maximum time to wait for a connection attempt to a server to succeed. connect manual |
http-keep-alive | 10s | Set the maximum allowed time to wait for a new HTTP request to appear http-keep-alive manual |
check | 10s | Set additional check timeout, but only after a connection has been already |
established. check manual |
It is possible to enable further protections on a per route basis. These annotations must be added accordingly to the Route
you may want to protect:
Setting | Description |
---|---|
haproxy.router.openshift.io/rate-limit-connections | Enables the settings be configured (when set to true, for example). |
haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp | The number of concurrent TCP connections that can be made by the same IP address on this route. |
haproxy.router.openshift.io/rate-limit-connections.rate-tcp | The number of TCP connections that can be opened by a client IP. |
haproxy.router.openshift.io/rate-limit-connections.rate-http | The number of HTTP requests that a client IP can make in a 3-second period. |