Apache DoS - is Varnish affected?

Poul-Henning Kamp phk at phk.freebsd.dk
Fri Jun 19 17:35:51 CEST 2009


In message <4A3BA393.3010306 at loman.net>, Nick Loman writes:
>I would guess that Varnish isn't affected by this, but does anyone know 
>for sure? Does Varnish protect against this attack in all cases if you 
>have Apache as your backend?
>
>http://isc.sans.org/diary.html?storyid=6601

Varnish will abandon the connection after a fixed number of header
lines.

This attack is more or less exactly _why_ varnish has a fixed limit
on HTTP headers.

I won't claim that varnish is imune, but the impact should be manageable.

Systems using "http accept filters" (FreeBSD possibly others) the Varnish
(or apache) will never even see these connections in the first place.


-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.



More information about the varnish-misc mailing list