/VS-logo-2020-197x60.png?width=136&height=60&name=VS-logo-2020-197x60.png "Varnish Software"){kind=logo}
During Christmas there was a big kerfuffle around the hash collision attacks, a denial of service attack that exploits weaknesses in the implementation of hashes in several server side programming languages. Since then we've been asked several times if Varnish is vulnerable to such an attack. Since Varnish is more or less built around a hash that is a natual question to ask. The short answers is no - we're not vulnerable.
The attack
The attacks are quite simple. In order to bring a web server to it's knees you only need send it a lot of input that you know will be used in a hash. Since the hash algorithm more or less breaks down and turns into a linked list the server might spend several hours of CPU time processing the request. Send a couple of those to a server and it probably won't do anything else.
The hash key Varnish
The hash algorithm used in Varnish in SHA 256. To date there are no two inputs that produce the same hash key. Even if you have two keys that collide you would need several tens of thousands of keys in order to significantly affect the performance of Varnish. So we're quite safe. :-)
If you want to know more PHK had an random outburst that goes into some detail.
