varnish-cache also down, maybe a slow-loris variation attack?

[Tu Pham Ngoc]

Hi everybody,

I have experienced "buggies" or some kind of slowlori variation attack with
my varnish server two times in 24 hours ago.
One IP could open and hold thousands of connection in CLOSE_WAIT state to my
varnish. And it make thousand of connections to php & mysql being hold too.
The result is my system is out of resource, the web browser is barely
received information from front-end.

In the first wave, I think it just a bug, and tried to restart varnish, php
then everything was fine, system came back to normal state with hundreds MB
RAM freed.

In the second wave, when I notice the front-end could not server client
request. I login to SSH, I saw 60 thousands of CLOSE_WAIT connections.
Repeat my previous process, restart varnish, php, there still 20-30k
connections hold and more to come. I have to turn varnish off and change the
front end to nginx dev version. After that everything is fine.

I also tried to check varnish-cache.org for update infor. & maybe a solution
but it seems that varnish-cache.org also has some problem too. I wonder if
there are attacks target to varnish with some exploit 0 day bug. It really
similar to famous slowloris attack.

Rightnow, my production webserver is fine with nginx and I could keep it
running for long. But I hope my information could help if there is a bug or
an exploit attack.

Best regards,
Tu Pham Ngoc
--------------------------------
Skype: phamngoctuuk
YM/MSN: phamngoctuuk at hotmail.com
HP: +84 90 446 1132
--------------------------------
Anh Ngoc Co., Ltd.
56 Trung Hoa Street, Cau Giay District
Hanoi, Vietnam
www.anhngoc.vn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20100829/a334b2eb/attachment-0003.html>