https://www.haproxy.com/blog/application-layer-ddos-attack-protection-with-haproxy/
Protecting TCP (non-HTTP) Services
So far, we’ve primarily covered protecting web servers. However, HAProxy can also help in protecting other TCP-based services such as SSH, SMTP, and FTP. The first step is to set up a stick-table that tracks conn_cur and conn_rate:
frontend per_ip_connections
stick-table type ip size 1m expire 1m store conn_cur,conn_rate(1m)
Next, create or modify a frontend to use this table by adding track and reject rules:
frontend fe_smtp
mode tcp
bind :25
option tcplog
timeout client 1m
tcp-request content track-sc0 src table per_ip_connections
tcp-request content reject if { sc_conn_cur(0) gt 1 } || { sc_conn_rate(0) gt 5 }
default_backend be_smtp
With the usual backend:
backend be_smtp
mode tcp
timeout server 1m
option tcp-check #For SMTP specifically smtpchk can be used
server smtp1 162.216.18.221:25 maxconn 50 check
Now, each client can establish one SMTP connection at a time. If they try to open a second one while the first is still open, the connection will be immediately closed again.