From: Tobias B. <to...@gm...> - 2012-05-21 23:00:29
|
I'm the sysadmin for some sites running the varnish cache and some sluggish php applications. Properly configured, Varnish can handle "the slashdot effect", which comes pretty close to a DDoS attack. However, varnish is only good at fending off legitimate traffic, a malicious client will always find ways to bypass the cache. We've had downtime due to some very simple DoS-attacks (POST flood - POSTs cannot be cached so varnish let them through directly to the php application). I'm looking for ways to rate-limit clients by now. What I want is: * Ideally I should serve HTTP 429 to flooding IPs. Packet dropping is probably the best thing for truly malicious clients, but since false positives is a risk, I think 429 is better. * I'd like to rate-limit the clients that get through to the PHP backend. I don't care about how much traffic a client sends to varnish, it's the traffic that gets through varnish that may be harmful. * False positives are always a risk - I'd like actual rate-limiting, not permanent blocking of "harmful" IPs. * The backend should not be involved. I've attempted setting this up in varnish but without success so far, so I'm considering to let fail2ban take care of the rate-limiting logic here. Has anyone ventured down this lane before? Specifically, has anyone been playing with fail2ban and varnish before? Is fail2ban the right tool to use? (The alternative seems to be to write up a "varnish module" for rate-limiting) |