AW: Varnish poisoned cache avoidance
Poul-Henning Kamp
phk at phk.freebsd.dk
Sun Jan 10 11:12:57 CET 2010
In message <01cf01ca91db$8c29b790$a47d26b0$@de>, "Mike Schiessl" writes:
>How can varnishd help me prevent DDOS / DOS attacks ?
Firstly, by being damn fast.
Originally we had some plans for specific antiDoS measures, something
like:
sub vcl_recv {
if (client.bandwidth > 100 mbit/s) {
delay 100ms;
}
if (client.missratio > 20%) {
close;
}
}
et cetera...
There are some issues and fine details to doing it, amongst other things
that we need to have a data structure for the client which survives
the individual session long enough for it to make any difference
in the above context.
The trouble of course is that a DDoS cannot be identified by IP#,
prompting ideas long the lines of
sub vcl_recv {
if (backend.hitrate < 70%) {
/* do something... */
}
}
etc.
But before we get anywere, somebody needs to figure out what we
can do.
Basically any countermeasure has two equally troublesome components:
1. detection. Knowing that you need to do something.
2. mitigation. What are we going to do ?
Poul-Henning
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
More information about the varnish-misc
mailing list