HomeBlogsciderpunx's blog

Slowloris protection with Varnish

Mon, 24/01/2011 - 8:26pm — ciderpunx

You may have noticed 11 seconds of downtime on your OX4 site at about 8PM on 24 Jan 2011.

That was because we were deploying a new bit of software to protect our server against a denial of service attack called Slowloris. We can protect against it with a bit of software called Varnish

Varnish is what web geeks call a 'caching proxy'. That means that when someone points their web browser at the OX4 server that Varnish grabs the request and checks if anyone has seen the page in question recently. If the page has been looked at recently then Varnish can grab the page from its memory without having to burden our web server with the task. If nobody has looked at the page recently, then the request gets put into Varnish's memory for the next time someone asks for it. The reason that this helps us defend our users against Slowloris attacks is that Varnish will deal with the special requests that Slowloris generates in a more sensible way than our web server software would.

Slowloris uses a flaw that is present in web server software like Apache. It makes a request for a document to the webserver, but doesn't complete the request. It would be like you phoning up a friend and saying just "hello". Your friend would wait for a bit and try and encourage you to say something. But eventually your friend would hang up, right? Wrong. Some types of web server software just wait forever for you to say something. If you can do that enough times, then you saturate the telephone exchange (to extend the analogy) and nobody else can make calls. If you want to learn more you can have a look at the Slowloris homepage or check out this video.

There are side benefits to using Varnish for our lovely OX4 users (ie. as well as making it harder for a malicious attacker to take down their  websites). Folks with HTML sites or ones with lots of pictures on like Stig's site will run faster for most users. And our Drupal sites like this one will continue to run at the same sort of speed they always have, with the benefit that graphics will be delivered more quickly.