https://www.haproxy.com/blog/application-layer-ddos-attack-protection-with-haproxy/
Protecting TCP (non-HTTP) Services
So far, we’ve primarily covered protecting web servers. However, HAProxy can also help in protecting other TCP-based services such as SSH, SMTP, and FTP. The first step is to set up a stick-table that tracks conn_cur
and conn_rate
:
frontend per_ip_connections stick-table type ip size 1m expire 1m store conn_cur,conn_rate(1m)
Next, create or modify a frontend
to use this table by adding track and reject rules:
frontend fe_smtp mode tcp bind :25 option tcplog timeout client 1m tcp-request content track-sc0 src table per_ip_connections tcp-request content reject if { sc_conn_cur(0) gt 1 } || { sc_conn_rate(0) gt 5 } default_backend be_smtp
With the usual backend
:
backend be_smtp mode tcp timeout server 1m option tcp-check #For SMTP specifically smtpchk can be used server smtp1 162.216.18.221:25 maxconn 50 check
Now, each client can establish one SMTP connection at a time. If they try to open a second one while the first is still open, the connection will be immediately closed again.