Apache DoS - is Varnish affected?
Fabian Keil
freebsd-listen at fabiankeil.de
Fri Jun 19 20:07:01 CEST 2009
"Poul-Henning Kamp" <phk at phk.freebsd.dk> wrote:
> In message <4A3BA393.3010306 at loman.net>, Nick Loman writes:
> >I would guess that Varnish isn't affected by this, but does anyone know
> >for sure? Does Varnish protect against this attack in all cases if you
> >have Apache as your backend?
> >
> >http://isc.sans.org/diary.html?storyid=6601
>
> Varnish will abandon the connection after a fixed number of header
> lines.
>
> This attack is more or less exactly _why_ varnish has a fixed limit
> on HTTP headers.
>
> I won't claim that varnish is imune, but the impact should be manageable.
>
> Systems using "http accept filters" (FreeBSD possibly others) the Varnish
> (or apache) will never even see these connections in the first place.
Actually I think accf_http(9) would only delay the attack.
While the man page doesn't mention it, accf_http passes
incomplete requests to the userland if its buffer is full.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://projects.linpro.no/pipermail/varnish-misc/attachments/20090619/c0bb945a/attachment.pgp
More information about the varnish-misc
mailing list