The hash collision attacks

During Christmas there was a big kerfuffle around the hash collision attacks, a denial of service attack that exploits weaknesses in the implementation of hashes in several server side programming languages. Since then we've been asked several times if Varnish is vulnerable to such an attack. Since Varnish is more or less built around a hash that is a natual question to ask. The short answers is no - we're not vulnerable.

The attack

The attacks are quite simple. In order to bring a web server to it's knees you only need send it a lot of input that you know will be used in a hash. Since the hash algorithm more or less breaks down and turns into a linked list the server might spend several hours of CPU time processing the request. Send a couple of those to a server and it probably won't do anything else.

The hash key Varnish

The hash algorithm used in Varnish in SHA 256. To date there are no two inputs that produce the same hash key. Even if you have two keys that collide you would need several tens of thousands of keys in order to significantly affect the performance of Varnish. So we're quite safe. :-)

If you want to know more PHK had an random outburst that goes into some detail.

04/01/12 11:19 by Per Buer

All things Varnish related

The Varnish blog is where the our team writes about all things related to Varnish Cache and Varnish Software...or simply vents.


Recent Posts

Posts by Topic

see all

Varnish Software Blog