"Poul-Henning Kamp" <[email protected]> wrote: > In message <[email protected]>, Nick Loman writes: > >I would guess that Varnish isn't affected by this, but does anyone know > >for sure? Does Varnish protect against this attack in all cases if you > >have Apache as your backend? > > > >http://isc.sans.org/diary.html?storyid=6601 > > Varnish will abandon the connection after a fixed number of header > lines. > > This attack is more or less exactly _why_ varnish has a fixed limit > on HTTP headers. > > I won't claim that varnish is imune, but the impact should be manageable. > > Systems using "http accept filters" (FreeBSD possibly others) the Varnish > (or apache) will never even see these connections in the first place.
Actually I think accf_http(9) would only delay the attack. While the man page doesn't mention it, accf_http passes incomplete requests to the userland if its buffer is full. Fabian
signature.asc
Description: PGP signature
_______________________________________________ varnish-misc mailing list [email protected] http://projects.linpro.no/mailman/listinfo/varnish-misc
