"ExpBan: nnn was banned"

2009-06-19 Thread Martin Goldman 
Hi folks,

We have a newly deployed Varnish installation (v2.0.4 on Debian 5.0 64-bit).
Our hitrate is pretty good (80%+) and the load on the server is consistently
0.00. The cache size is 50G and the TTL is set to basically cache things
indefinitely (it's set to like 1000 years, I think).

I got a complaint from a user that some percentage of his page views seem
too slow to be coming from the cache. I brought up our home page and started
refreshing it over and over. Sure enough, while most of the page views are
in fact getting  cached, once every 5 or 6 times, I get a cache miss. When
this happens, varnishlog shows something like this:

   32 VCL_call c recv lookup
   32 VCL_call c hash hash
*   32 ExpBan   c 1607291667 was banned
*   32 VCL_call c miss fetch

I apologize if my google-fu is broken today, but I can't seem to find a
description of what the message above means. I would certainly appreciate
any information (or links) that would help explain this message and how to
prevent the problem going forward.

Thanks and regards,
Martin
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Re: Thread memory allocation question

2009-06-19 Thread Poul-Henning Kamp 
In message <5c056ae2-7207-42f8-9e4b-0f541dc4b...@slide.com>, Ken Brownfield wri
tes:

>Would a stack overflow take out the whole child, or just that thread?

The kernel would try to extend the stack and provided you are not on
a 32 bit system, it shouldn't ever have a problem with that.

-- 
Poul-Henning Kamp   | UNIX since Zilog Zeus 3.20
p...@freebsd.org | TCP/IP since RFC 956
FreeBSD committer   | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Re: Thread memory allocation question

2009-06-19 Thread Ken Brownfield 
On Jun 19, 2009, at 7:15 AM, Tollef Fog Heen wrote:
> | 40111000   8192K rw---[ anon ]
> Looks like the default stack size.

Ah, of course.  Good find, thanks.  I'm thinking it might be nice to  
have a thread track its stack history and emit its approximate largest  
size when it's reaped (and the workspaces too I suppose).

Would a stack overflow take out the whole child, or just that thread?

The 1024K blocks roughly add up to the SMA outstanding bytes, so I'm  
assuming these are jemalloc block allocations, and not related to  
thread count:

lib/jemalloc/malloc.c:
#define CHUNK_2POW_DEFAULT  20

Thanks!
-- 
Ken.

On Jun 19, 2009, at 7:15 AM, Tollef Fog Heen wrote:

> ]] Ken Brownfield
>
> | When looking at /proc/map info for varnish threads, I'm seeing the
> | following allocations in numbers that essentially match the child  
> count:
> |
> | 40111000   8192K rw---[ anon ]
>
> Looks like the default stack size.
>
> | And this at almost double the child count:
> |
> | 7f4d5790   1024K rw---[ anon ]
>
> Unsure what this is.
>
> | I noticed some pretty intense memory usage when I had a backend  
> issue
> | and the thread count increased into the hundreds.  Obviously the
> | threads will need memory as they scale, but are these large
> | allocations intentional, and are they tunable (beyond the relatively
> | small workspaces?)
>
> You should be able to tune it using ulimit -s.  If you turn it too  
> low,
> things will break, though.
>
> -- 
> Tollef Fog Heen
> Redpill Linpro -- Changing the game!
> t: +47 21 54 41 73

___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Re: Apache DoS - is Varnish affected?

2009-06-19 Thread Poul-Henning Kamp 
In message <20090619200701.0dd70...@fabiankeil.de>, Fabian Keil writes:

>Actually I think accf_http(9) would only delay the attack.
>
>While the man page doesn't mention it, accf_http passes
>incomplete requests to the userland if its buffer is full.

Yeah, but I'm pretty sure the buffer would contain enough junk to
make varnish shut the connection immediately, so the fd starvation
would not happen.

Anyway, if you are interested in this DoS, you can trivially test
it yourselv with a telnet connection and patience in front of the
keyboard.

Poul-Henning

-- 
Poul-Henning Kamp   | UNIX since Zilog Zeus 3.20
p...@freebsd.org | TCP/IP since RFC 956
FreeBSD committer   | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Re: Apache DoS - is Varnish affected?

2009-06-19 Thread Fabian Keil 
"Poul-Henning Kamp"  wrote:

> In message <4a3ba393.3010...@loman.net>, Nick Loman writes:
> >I would guess that Varnish isn't affected by this, but does anyone know 
> >for sure? Does Varnish protect against this attack in all cases if you 
> >have Apache as your backend?
> >
> >http://isc.sans.org/diary.html?storyid=6601
> 
> Varnish will abandon the connection after a fixed number of header
> lines.
> 
> This attack is more or less exactly _why_ varnish has a fixed limit
> on HTTP headers.
> 
> I won't claim that varnish is imune, but the impact should be manageable.
> 
> Systems using "http accept filters" (FreeBSD possibly others) the Varnish
> (or apache) will never even see these connections in the first place.

Actually I think accf_http(9) would only delay the attack.

While the man page doesn't mention it, accf_http passes
incomplete requests to the userland if its buffer is full.

Fabian


signature.asc
Description: PGP signature
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Re: Apache DoS - is Varnish affected?

2009-06-19 Thread Poul-Henning Kamp 
In message <4a3bbfe6.7070...@stillbilde.net>, "Svein Skogen (listmail account)" 
writes:

>> Systems using "http accept filters" (FreeBSD possibly others) the Varnish
>> (or apache) will never even see these connections in the first place.
>
>Does this basically mean that in these uncertain times where kiddiots
>DoS (Destroying our Sanity) just for the fun of it, using accf_http
>should go into the checklist for every webserver, or am I reading this
>wrong?

Good question, I don't know how accf_http will handle these attacks.

-- 
Poul-Henning Kamp   | UNIX since Zilog Zeus 3.20
p...@freebsd.org | TCP/IP since RFC 956
FreeBSD committer   | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Re: Apache DoS - is Varnish affected?

2009-06-19 Thread Poul-Henning Kamp 
In message <4a3bb2e1.8090...@loman.net>, Nick Loman writes:
>Poul-Henning Kamp wrote:

>> Varnish will abandon the connection after a fixed number of header
>> lines.
>
>That's reassuring. Out of interest, what is the limit?

32 - 3 (for the first line fields)

>Presumably that limit * the read timeout is the length of time a 
>connection could be held open by a rogue client? 

Something like that, I have not tried it.

Worst case it would be a timeout for each character.

-- 
Poul-Henning Kamp   | UNIX since Zilog Zeus 3.20
p...@freebsd.org | TCP/IP since RFC 956
FreeBSD committer   | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Re: Apache DoS - is Varnish affected?

2009-06-19 Thread Svein Skogen (listmail account) 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Poul-Henning Kamp wrote:
> 
> Systems using "http accept filters" (FreeBSD possibly others) the Varnish
> (or apache) will never even see these connections in the first place.
> 

Does this basically mean that in these uncertain times where kiddiots
DoS (Destroying our Sanity) just for the fun of it, using accf_http
should go into the checklist for every webserver, or am I reading this
wrong?

//Svein

- --
- +---+---
  /"\   |Svein Skogen   | sv...@d80.iso100.no
  \ /   |Solberg Østli 9| PGP Key:  0xE5E76831
   X|2020 Skedsmokorset | sv...@jernhuset.no
  / \   |Norway | PGP Key:  0xCE96CE13
|   | sv...@stillbilde.net
 ascii  |   | PGP Key:  0x58CD33B6
 ribbon |System Admin   | svein-listm...@stillbilde.net
Campaign|stillbilde.net | PGP Key:  0x22D494A4
+---+---
|msn messenger: | Mobile Phone: +47 907 03 575
|sv...@jernhuset.no | RIPE handle:SS16503-RIPE
- +---+---
 Picture Gallery:
  https://gallery.stillbilde.net/v/svein/
- 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAko7v+YACgkQODUnwSLUlKTYbACeKqc2n1UfTGLhkuq1QdP5g+IC
PUIAoJrA4eC13T1JGCt2Y7GYIxdYT/Eo
=2dIU
-END PGP SIGNATURE-
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Re: Apache DoS - is Varnish affected?

2009-06-19 Thread Nick Loman 
Poul-Henning Kamp wrote:
> In message <4a3ba393.3010...@loman.net>, Nick Loman writes:
>   
>> I would guess that Varnish isn't affected by this, but does anyone know 
>> for sure? Does Varnish protect against this attack in all cases if you 
>> have Apache as your backend?
>>
>> http://isc.sans.org/diary.html?storyid=6601
>> 
>
> Varnish will abandon the connection after a fixed number of header
> lines.
>
> This attack is more or less exactly _why_ varnish has a fixed limit
> on HTTP headers.
>   
Hi Poul-Henning,

That's reassuring. Out of interest, what is the limit?

Presumably that limit * the read timeout is the length of time a 
connection could be held open by a rogue client? I agree that is 
probably manageable but of course still potentially serious in the 
context of a significant DoS attempt.

Cheers,

Nick.




___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Re: Apache DoS - is Varnish affected?

2009-06-19 Thread Poul-Henning Kamp 
In message <4a3ba393.3010...@loman.net>, Nick Loman writes:
>I would guess that Varnish isn't affected by this, but does anyone know 
>for sure? Does Varnish protect against this attack in all cases if you 
>have Apache as your backend?
>
>http://isc.sans.org/diary.html?storyid=6601

Varnish will abandon the connection after a fixed number of header
lines.

This attack is more or less exactly _why_ varnish has a fixed limit
on HTTP headers.

I won't claim that varnish is imune, but the impact should be manageable.

Systems using "http accept filters" (FreeBSD possibly others) the Varnish
(or apache) will never even see these connections in the first place.


-- 
Poul-Henning Kamp   | UNIX since Zilog Zeus 3.20
p...@freebsd.org | TCP/IP since RFC 956
FreeBSD committer   | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Apache DoS - is Varnish affected?

2009-06-19 Thread Nick Loman 
I would guess that Varnish isn't affected by this, but does anyone know 
for sure? Does Varnish protect against this attack in all cases if you 
have Apache as your backend?

http://isc.sans.org/diary.html?storyid=6601

Many thanks,

Nick.

___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Re: Thread memory allocation question

2009-06-19 Thread Tollef Fog Heen 
]] Ken Brownfield 

| When looking at /proc/map info for varnish threads, I'm seeing the  
| following allocations in numbers that essentially match the child count:
| 
| 40111000   8192K rw---[ anon ]

Looks like the default stack size.

| And this at almost double the child count:
| 
| 7f4d5790   1024K rw---[ anon ]

Unsure what this is.

| I noticed some pretty intense memory usage when I had a backend issue  
| and the thread count increased into the hundreds.  Obviously the  
| threads will need memory as they scale, but are these large  
| allocations intentional, and are they tunable (beyond the relatively  
| small workspaces?)

You should be able to tune it using ulimit -s.  If you turn it too low,
things will break, though.

-- 
Tollef Fog Heen 
Redpill Linpro -- Changing the game!
t: +47 21 54 41 73
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Thread memory allocation question

2009-06-19 Thread Ken Brownfield 
When looking at /proc/map info for varnish threads, I'm seeing the  
following allocations in numbers that essentially match the child count:

40111000   8192K rw---[ anon ]

And this at almost double the child count:

7f4d5790   1024K rw---[ anon ]

For example, for 64 worker threads, I see 69 of the 8192K allocations,  
and 121 of the 1024K allocations. For 32 worker threads I see 37 and  
82, respectively.

I noticed some pretty intense memory usage when I had a backend issue  
and the thread count increased into the hundreds.  Obviously the  
threads will need memory as they scale, but are these large  
allocations intentional, and are they tunable (beyond the relatively  
small workspaces?)

Many thanks,
-- 
Ken.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc