Apache DoS - is Varnish affected?
nick at loman.net
Fri Jun 19 17:46:41 CEST 2009
Poul-Henning Kamp wrote:
> In message <4A3BA393.3010306 at loman.net>, Nick Loman writes:
>> I would guess that Varnish isn't affected by this, but does anyone know
>> for sure? Does Varnish protect against this attack in all cases if you
>> have Apache as your backend?
> Varnish will abandon the connection after a fixed number of header
> This attack is more or less exactly _why_ varnish has a fixed limit
> on HTTP headers.
That's reassuring. Out of interest, what is the limit?
Presumably that limit * the read timeout is the length of time a
connection could be held open by a rogue client? I agree that is
probably manageable but of course still potentially serious in the
context of a significant DoS attempt.
More information about the varnish-misc