varnish 2.15 - possible security exploit?

Mike Franon kongfranon at gmail.com
Tue Feb 22 16:01:48 CET 2011


Thank you Per Buer, and Stefan,


That is what I thought but just wanted to double-check.

At least I know the varnish servers can handle the load to help offset
a DDOS attack.  Before varnish, if we ever got above 100 req/sec our
apache servers would not respond.  But we are still trying to figure
out ways of stopping it, which is really tough, since they are hitting
our home page directly, and we cannot block that request, we have
blocked at the F5 level, top 20 ip address, hostname and user-agents.

Thanks again,
Mike


On Tue, Feb 22, 2011 at 9:22 AM, Stefan Pommerening <pom at dmsp.de> wrote:
> Am 22.02.2011 15:10, schrieb Mike Franon:
>>
>> The reason why I am thinking that some sort of exploit might be going
>> on is, looking at the varnish logs I was seeing some url's for domains
>> we do not even own.  I am not sure how get requests are coming through
>> for not our own domain's?  Majority of get are for us, but 10% or so
>> are not
>
> Varnish is generally only logging the host header of the http requests. You
> can easily connect to some server using its ip address and transfer some
> random host header for the http request itself. This can be easily done by
> using wget or telnet for example. I am using this regularly for testing
> purposes when updating some configuration on vhosts or stuff.
>
> Therefore the strange domain names have nothing to do with some security
> exploit, but this is simply another layer of connectiviy.
>
> Stefan
>
> --
>
> *Dipl.-Inform. Stefan Pommerening
> Informatik-Büro: IT-Dienste & Projekte, Consulting & Coaching*
> http://www.dmsp.de <http://www.dmsp.de/>
>
>
>



More information about the varnish-misc mailing list