Apache DoS - is Varnish affected?
Nick Loman
nick at loman.net
Fri Jun 19 17:46:41 CEST 2009
Poul-Henning Kamp wrote:
> In message <4A3BA393.3010306 at loman.net>, Nick Loman writes:
>
>> I would guess that Varnish isn't affected by this, but does anyone know
>> for sure? Does Varnish protect against this attack in all cases if you
>> have Apache as your backend?
>>
>> http://isc.sans.org/diary.html?storyid=6601
>>
>
> Varnish will abandon the connection after a fixed number of header
> lines.
>
> This attack is more or less exactly _why_ varnish has a fixed limit
> on HTTP headers.
>
Hi Poul-Henning,
That's reassuring. Out of interest, what is the limit?
Presumably that limit * the read timeout is the length of time a
connection could be held open by a rogue client? I agree that is
probably manageable but of course still potentially serious in the
context of a significant DoS attempt.
Cheers,
Nick.
More information about the varnish-misc
mailing list