On 6/8/21 9:43 AM, Jim Freeman wrote: > I've scoured docs and Google for DDoS/security mechanisms, and hope I > have the lay of the land. > > But I've not yet seen anything mentioned like HAProxy's > tarpit/silent-drop mechanisms : > https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-http-request%20tarpit > ... blocks the request without responding for a delay specified ... > https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-http-request%20silent-drop > ... can resist much higher loads than "tarpit", and slow down > stronger attackers. ... > > Does anyone have these kinds of countermeasures in play with squid ? Squid supports resetting the TCP connection instead of delivering an error page (look for "TCP_RESET" and "ssl_bump terminate" in squid.conf.documented). An artificial delay can be created by a simple external ACL (and, if such delays are popular, we can add a new built-in ACL type). In your particular use case, the http_access directive can probably be used to tie TCP_RESET and delay logic together. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
