Apache DoS - is Varnish affected?
freebsd-listen at fabiankeil.de
Fri Jun 19 20:07:01 CEST 2009
"Poul-Henning Kamp" <phk at phk.freebsd.dk> wrote:
> In message <4A3BA393.3010306 at loman.net>, Nick Loman writes:
> >I would guess that Varnish isn't affected by this, but does anyone know
> >for sure? Does Varnish protect against this attack in all cases if you
> >have Apache as your backend?
> Varnish will abandon the connection after a fixed number of header
> This attack is more or less exactly _why_ varnish has a fixed limit
> on HTTP headers.
> I won't claim that varnish is imune, but the impact should be manageable.
> Systems using "http accept filters" (FreeBSD possibly others) the Varnish
> (or apache) will never even see these connections in the first place.
Actually I think accf_http(9) would only delay the attack.
While the man page doesn't mention it, accf_http passes
incomplete requests to the userland if its buffer is full.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 196 bytes
Desc: not available
More information about the varnish-misc