Say you just finished implementing a spam detection mechanism into your popular web service and started responding with HTTP 403s to spam queries.
This helped to eliminate the load on your database servers, but the sheer amount of abuse queries keeps your web servers busy.
You decided to employ HAProxy as your spam guard and block all spammers once the rate of HTTP errors (HTTP 403 included) goes above 600 per 1 minute (10 per second).
Here is how you did it
frontend fe_web bind 11.22.33.44:80 stick-table type ip size 500k expire 2m store http_err_rate(60s) tcp-request connection reject if { src_http_err_rate gt 600 } tcp-request connection track-sc1 src default_backend be_web backend be_web server web1 192.168.1.1:80 server web2 192.168.1.2:80 server web3 192.168.1.3:80
With HAProxy to can reject or slow down HTTP queries based on other criteria, such as
- total connection/session/http_request/http_error/bytes_in/bytes_out count
- number or current connections
- connection/session/http_request/http_error/bytes_in/bytes_out rate over a specific period
Check http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ for inspiration.