Skip to content

P2-09 — DDoS protection: rate limiting and connection throttling #176

Open
Open
P2-09 — DDoS protection: rate limiting and connection throttling#176
Labels
area/backendFastAPI, SQLAlchemy, services, APIarea/devopsDocker, Compose, CI, deploymentp2-post-mvpNice to have, deferred
Milestone
Post-MVP backlog
@bihius

Description

@bihius
bihius
opened on May 6, 2026

Summary

Implement DDoS mitigation at the HAProxy layer via configurable rate limiting, connection throttling, and automatic IP banning.

Motivation

Volumetric and low-rate application-layer attacks are the most common threat faced by publicly exposed services. Enforcing limits at the HAProxy ingress layer is cheaper than letting traffic reach upstream applications and is a natural fit for a guard-proxy product.

Proposed scope

Rate limiting (request rate)

  • Per-source-IP request-rate limit using HAProxy stick-table with http_req_rate counter.
  • Configurable window (e.g. 10 s) and threshold (e.g. 100 req / window).
  • Requests exceeding the threshold receive 429 Too Many Requests.

Connection throttling

  • Per-source-IP concurrent connection limit (conn_cur).
  • Global connection queue limit to protect against connection exhaustion.

Automatic IP banning

  • After N consecutive limit violations within a configurable period, the source IP is added to a ban table.
  • Ban duration is configurable (default: 5 minutes).
  • Admin can view and manually release banned IPs via the API/UI.

Slow-loris / incomplete-request protection

  • Set timeout http-request and timeout client conservatively.
  • Optionally enforce minimum request rate (http_req_rate over very short window).

Admin UI & API

  • Per-rule DDoS settings: enable/disable, rate limit threshold, connection limit, ban threshold, ban duration.
  • Dashboard widget showing currently banned IPs and real-time request rates (future: integrate with metrics endpoint).

Alerting hook (stretch goal)

  • Emit a webhook or log event when an IP is auto-banned, so external SIEM/alerting systems can react.

Out of scope

  • Deep packet inspection
  • Anycast / BGP blackholing
  • Full WAF rule sets (tracked separately under area/waf)

Acceptance criteria

  • Rate-limit and connection-throttle knobs are stored in the data model and exposed via API
  • Config generator produces valid HAProxy stick-table and ACL blocks
  • haproxy -c passes on generated config
  • Ban list is visible and manageable in the admin UI
  • Unit tests cover config generation for all throttle modes
  • Integration tests cover API endpoints for DDoS settings

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/backendFastAPI, SQLAlchemy, services, APIarea/devopsDocker, Compose, CI, deploymentp2-post-mvpNice to have, deferred

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions