22

Hi lil puppies what's your problem?

*proxy vomits*

Have you eaten something wrong....

*proxy happily eats requests and answers correctly*

Hm... Seems like you are...

*proxy vomits dozen of requests at once*

... Not okay.

Ok.... What did u you get fed you lil hellspawn.

TLS handshake error.

Thousands. Of. TLS. Handshake. Errors.

*checking autonomous system information*

Yeah... Requests come from same IP or AS. Someone is actively bombing TLS requests on the TLS terminator.

Wrong / outdated TLS requests.

Let's block the IP addresses....

*Pats HAProxy on the head*

*Gets more vomit as a thank you no sir*

I've now added a list of roughly 320 IP adresses in 4 h to an actively running HAProxy in INet as some Chinese fuckers seemingly find it funny to DDOS with TLS 1.0... or Invalid HTTP Requests... Or Upgrade Headers...

Seriously. I want a fucking weekend you bastards. Shove your communism up your arse if you wanna have some illegal fun. ;)

Comments
  • 6
    Stuff like this is why I've set up really aggressive fail2ban filters. Trying to stop my server from responding to DDOS traffic as early as possible.
  • 2
    Have you considered a country block, and if that gets you flak, maybe a user-agent block? Mostly i find that solves it for me. If not, you could always try deprecating old TLS versions. Regardless, good luck and you can always try to block on JA3 signatures.
  • 2
    Thing is that this is an TLS terminator for a larger web app instance.

    I cannot block IPs _easily_. I could do fail2ban but I think it's very risky.

    As the TLS auth dies in negotiation or - other attack pattern - they try to send TCP requests to HAProxy instead of HTTP requests it's hard to mitigate.

    I've changed some stuff in cloudflare like @arcsector recommended to bump the MIN TLS version, but - as we have clients even in china - blocking blindly / automated is very risky.

    JA 3 sounds interesting.
  • 0
    @IntrusionCM Just add a slow down filter to send a packet every sec for bad connections.
  • 0
    @magicMirror ?!

    Me no comprends.
  • 0
  • 0
    @magicMirror what has SSH to do with an proxy?
  • 0
    @IntrusionCM the idea. not the tool....

    just dont hangup on them. keep the connection open by slowly sending them a packet every second....
  • 1
    @magicMirror Ehm.

    This is like the worst idea ever in a proxy.
  • 1
    @IntrusionCM RE: JA3, there's not a whole lot that is extremely sophisticated about JA3, however it could be a nice broad stroke correlation tool with which you could match each incoming connection and block offenders matching a profile.

    I personally use a Zeek/Bro TAP on the wire to capture this info, but you could always use it on your HAProxy hosts and make the decisions either locally or centrally with Elastic or whatever you would use to store Zeek logs.
  • 0
    @arcsector never heard of Zeek or Bro before.

    Sounds interesting but complicated.

    I'm entirely lacking in HTTP security / Net security, used to PCAP / Netflow
Add Comment