In message <4a3ba393.3010...@loman.net>, Nick Loman writes:
>I would guess that Varnish isn't affected by this, but does anyone know 
>for sure? Does Varnish protect against this attack in all cases if you 
>have Apache as your backend?
>
>http://isc.sans.org/diary.html?storyid=6601

Varnish will abandon the connection after a fixed number of header
lines.

This attack is more or less exactly _why_ varnish has a fixed limit
on HTTP headers.

I won't claim that varnish is imune, but the impact should be manageable.

Systems using "http accept filters" (FreeBSD possibly others) the Varnish
(or apache) will never even see these connections in the first place.


-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
p...@freebsd.org         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
_______________________________________________
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc

Reply via email to