[squid-users] tarpit, silent-drop vs. DDoS ?

Alex Rousskov rousskov at measurement-factory.com
Tue Jun 8 14:31:20 UTC 2021


On 6/8/21 9:43 AM, Jim Freeman wrote:
> I've scoured docs and Google for DDoS/security mechanisms, and hope I
> have the lay of the land.
> 
> But I've not yet seen anything mentioned like HAProxy's
> tarpit/silent-drop mechanisms :
> https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-http-request%20tarpit
>  ... blocks the request without responding for a delay specified ...
> https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-http-request%20silent-drop
>  ... can resist much higher loads than "tarpit", and slow down
> stronger attackers. ...
> 
> Does anyone have these kinds of countermeasures in play with squid ?

Squid supports resetting the TCP connection instead of delivering an
error page (look for "TCP_RESET" and "ssl_bump terminate" in
squid.conf.documented). An artificial delay can be created by a simple
external ACL (and, if such delays are popular, we can add a new built-in
ACL type). In your particular use case, the http_access directive can
probably be used to tie TCP_RESET and delay logic together.

Alex.


More information about the squid-users mailing list