Apache DoS - is Varnish affected?

Nick Loman nick at loman.net
Fri Jun 19 17:46:41 CEST 2009

Poul-Henning Kamp wrote:
> In message <4A3BA393.3010306 at loman.net>, Nick Loman writes:
>> I would guess that Varnish isn't affected by this, but does anyone know 
>> for sure? Does Varnish protect against this attack in all cases if you 
>> have Apache as your backend?
>> http://isc.sans.org/diary.html?storyid=6601
> Varnish will abandon the connection after a fixed number of header
> lines.
> This attack is more or less exactly _why_ varnish has a fixed limit
> on HTTP headers.
Hi Poul-Henning,

That's reassuring. Out of interest, what is the limit?

Presumably that limit * the read timeout is the length of time a 
connection could be held open by a rogue client? I agree that is 
probably manageable but of course still potentially serious in the 
context of a significant DoS attempt.



More information about the varnish-misc mailing list