Poul-Henning Kamp wrote: > In message <[email protected]>, Nick Loman writes: > >> I would guess that Varnish isn't affected by this, but does anyone know >> for sure? Does Varnish protect against this attack in all cases if you >> have Apache as your backend? >> >> http://isc.sans.org/diary.html?storyid=6601 >> > > Varnish will abandon the connection after a fixed number of header > lines. > > This attack is more or less exactly _why_ varnish has a fixed limit > on HTTP headers. > Hi Poul-Henning,
That's reassuring. Out of interest, what is the limit? Presumably that limit * the read timeout is the length of time a connection could be held open by a rogue client? I agree that is probably manageable but of course still potentially serious in the context of a significant DoS attempt. Cheers, Nick. _______________________________________________ varnish-misc mailing list [email protected] http://projects.linpro.no/mailman/listinfo/varnish-misc
