For the first example that looks good to catch scanners and the like, though it ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		idealhavoc on Nov 9, 2018 \| parent \| context \| favorite \| on: Application-Layer DDoS Attack Protection with HAPr... For the first example that looks good to catch scanners and the like, though it needs an "http-response track-sc0 src" or nothing will get stored in the stick table. The second example it looks good; since there aren't any regexes in there the ip/substring/end lookups are quite CPU friendly so shouldn't have a large impact even at higher request rates (IP ACL files notably get loaded into a binary tree format and take next to no CPU work to check for a match even with millions of IP's).

Bender on Nov 12, 2018 | [–]

Ah yes, I left off the track-sc0 from my config. Good catch. I tried to stay away from regex or long strings. Ty for verifying that it looks ok.

bedis9 on Nov 11, 2018 | [–]

Partially true. Sub matching is stored in chained lists and could take some CPU if improperly used

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact