[Fail2ban-users] using fail2ban together with varnish for DoS/DDoS-protection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I'm the sysadmin for some sites running the varnish cache and some
sluggish php applications.  Properly configured, Varnish can handle
"the slashdot effect", which comes pretty close to a DDoS attack.
However, varnish is only good at fending off legitimate traffic, a
malicious client will always find ways to bypass the cache.  We've had
downtime due to some very simple DoS-attacks (POST flood - POSTs
cannot be cached so varnish let them through directly to the php
application).  I'm looking for ways to rate-limit clients by now.

What I want is:

* Ideally I should serve HTTP 429 to flooding IPs.  Packet dropping is
probably the best thing for truly malicious clients, but since false
positives is a risk, I think 429 is better.

* I'd like to rate-limit the clients that get through to the PHP
backend.  I don't care about how much traffic a client sends to
varnish, it's the traffic that gets through varnish that may be
harmful.

* False positives are always a risk - I'd like actual rate-limiting,
not permanent blocking of "harmful" IPs.

* The backend should not be involved.

I've attempted setting this up in varnish but without success so far,
so I'm considering to let fail2ban take care of the rate-limiting logic here.

Has anyone ventured down this lane before?  Specifically, has anyone
been playing with fail2ban and varnish before?  Is fail2ban the right
tool to use?  (The alternative seems to be to write up a "varnish
module" for rate-limiting)