HAProxy tarpit rate-limiting exhausts connection slots under sustained flood

HAProxy configured with 'tarpit' rate-limiting receives sustained 300 requests/second from a single client. The tarpit method holds connections open during the wait period (1 second), but does not slow down clients making parallel requests. Load balancers hit connection count limits and reject legitimate requests, causing cascading failures across remaining load balancers.

Switch HAProxy rate-limiting from 'tarpit' to 'deny' method (http-request deny) to return HTTP 429 immediately without tying up connection slots. Identify and block offending IP addresses using 'reject' method. Increase maxconn parameter to provide breathing room. Add alerting for active HAProxy frontend sessions well below maxconn threshold.