varnish-cache also down, maybe a slow-loris variation attack?

Tu Pham Ngoc phamngoctuuk at
Sat Aug 28 19:16:20 CEST 2010

Hi everybody,

I have experienced "buggies" or some kind of slowlori variation attack with
my varnish server two times in 24 hours ago.
One IP could open and hold thousands of connection in CLOSE_WAIT state to my
varnish. And it make thousand of connections to php & mysql being hold too.
The result is my system is out of resource, the web browser is barely
received information from front-end.

In the first wave, I think it just a bug, and tried to restart varnish, php
then everything was fine, system came back to normal state with hundreds MB
RAM freed.

In the second wave, when I notice the front-end could not server client
request. I login to SSH, I saw 60 thousands of CLOSE_WAIT connections.
Repeat my previous process, restart varnish, php, there still 20-30k
connections hold and more to come. I have to turn varnish off and change the
front end to nginx dev version. After that everything is fine.

I also tried to check for update infor. & maybe a solution
but it seems that also has some problem too. I wonder if
there are attacks target to varnish with some exploit 0 day bug. It really
similar to famous slowloris attack.

Rightnow, my production webserver is fine with nginx and I could keep it
running for long. But I hope my information could help if there is a bug or
an exploit attack.

Best regards,
Tu Pham Ngoc
Skype: phamngoctuuk
YM/MSN: phamngoctuuk at
HP: +84 90 446 1132
Anh Ngoc Co., Ltd.
56 Trung Hoa Street, Cau Giay District
Hanoi, Vietnam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the varnish-dev mailing list