Hi everybody, I have experienced "buggies" or some kind of slowlori variation attack with my varnish server two times in 24 hours ago. One IP could open and hold thousands of connection in CLOSE_WAIT state to my varnish. And it make thousand of connections to php & mysql being hold too. The result is my system is out of resource, the web browser is barely received information from front-end.
In the first wave, I think it just a bug, and tried to restart varnish, php then everything was fine, system came back to normal state with hundreds MB RAM freed. In the second wave, when I notice the front-end could not server client request. I login to SSH, I saw 60 thousands of CLOSE_WAIT connections. Repeat my previous process, restart varnish, php, there still 20-30k connections hold and more to come. I have to turn varnish off and change the front end to nginx dev version. After that everything is fine. I also tried to check varnish-cache.org for update infor. & maybe a solution but it seems that varnish-cache.org also has some problem too. I wonder if there are attacks target to varnish with some exploit 0 day bug. It really similar to famous slowloris attack. Rightnow, my production webserver is fine with nginx and I could keep it running for long. But I hope my information could help if there is a bug or an exploit attack. Best regards, Tu Pham Ngoc -------------------------------- Skype: phamngoctuuk YM/MSN: [email protected] HP: +84 90 446 1132 -------------------------------- Anh Ngoc Co., Ltd. 56 Trung Hoa Street, Cau Giay District Hanoi, Vietnam www.anhngoc.vn
_______________________________________________ varnish-dev mailing list [email protected] http://lists.varnish-cache.org/mailman/listinfo/varnish-dev
