Apache DoS - is Varnish affected?

Fabian Keil freebsd-listen at fabiankeil.de
Fri Jun 19 20:07:01 CEST 2009

"Poul-Henning Kamp" <phk at phk.freebsd.dk> wrote:

> In message <4A3BA393.3010306 at loman.net>, Nick Loman writes:
> >I would guess that Varnish isn't affected by this, but does anyone know 
> >for sure? Does Varnish protect against this attack in all cases if you 
> >have Apache as your backend?
> >
> >http://isc.sans.org/diary.html?storyid=6601
> Varnish will abandon the connection after a fixed number of header
> lines.
> This attack is more or less exactly _why_ varnish has a fixed limit
> on HTTP headers.
> I won't claim that varnish is imune, but the impact should be manageable.
> Systems using "http accept filters" (FreeBSD possibly others) the Varnish
> (or apache) will never even see these connections in the first place.

Actually I think accf_http(9) would only delay the attack.

While the man page doesn't mention it, accf_http passes
incomplete requests to the userland if its buffer is full.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20090619/c0bb945a/attachment-0003.pgp>

More information about the varnish-misc mailing list