Security: Rejecting offending connections
Once upon a time DDoS attacks where something rare. Now, not a week goes by without such an attack on a customer or a prospect.
Half a year ago we started building the shield VMOD. The idea was to put various security related functions into a VMOD. We got so far as to put one function into it - conn_reset(). It does what you expect it to do, it just resets the connection, evicting it form Varnish in a rather unceremonious manner.
The usage is simple. If you manage to identify the attacking request, either by IP or header pattern, in stead of serving a proper object with headers and the like, just toss the connection out the window.
The VMOD is available on Github. Any other functions you'd like to see in this VMOD?
The picture of the fortress is (c) 2008 klearchos and used under the CC-BY-2.0 Licence.