AW: Varnish poisoned cache avoidance

Poul-Henning Kamp phk at
Sun Jan 10 11:12:57 CET 2010

In message <01cf01ca91db$8c29b790$a47d26b0$@de>, "Mike Schiessl" writes:

>How can varnishd help me prevent DDOS / DOS attacks ?

Firstly, by being damn fast.

Originally we had some plans for specific antiDoS measures, something

	sub vcl_recv {
		if (client.bandwidth > 100 mbit/s) {
			delay 100ms;
		if (client.missratio > 20%) {

et cetera...

There are some issues and fine details to doing it, amongst other things
that we need to have a data structure for the client which survives
the individual session long enough for it to make any difference
in the above context.

The trouble of course is that a DDoS cannot be identified by IP#,
prompting ideas long the lines of
	sub vcl_recv {
		if (backend.hitrate < 70%) {
			/* do something... */


But before we get anywere, somebody needs to figure out what we
can do.

Basically any countermeasure has two equally troublesome components:

1. detection.  Knowing that you need to do something.

2. mitigation.  What are we going to do ?


Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

More information about the varnish-misc mailing list