Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:89472
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57351 invoked from network); 27 Nov 2015 21:21:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Nov 2015 21:21:51 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.180 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.214.180 mail-ob0-f180.google.com  
Received: from [209.85.214.180] ([209.85.214.180:34025] helo=mail-ob0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 92/EA-04444-E69C8565 for <internals@lists.php.net>; Fri, 27 Nov 2015 16:21:50 -0500
Received: by obbbj7 with SMTP id bj7so89693958obb.1
        for <internals@lists.php.net>; Fri, 27 Nov 2015 13:21:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=4RAcCt2B1cMeFjlxHULyzE8LXgyNhvN21jdaFpnOuZ4=;
        b=v0nuF/R9s9DyfP9DVzImvlUgIJTE5vOvPAxXqmQ3sxipSfmdLBO75vEZDLAyEs+9/b
         5scVJCYsZM14CLNTX22Y63EjBjRN0N/G1Ul8zbCQDnB5Mc0jtFDqHOny4EG4s+cuZctW
         8ggI2HDVbLc1tWIMjZBORP7ZBAvf6bXh80ETIhKTzdro0CiY6fNeJPs0jfuvoseRcxwq
         victn4G8cJAFCp9VI3IlVsqjiIIg9R7X9sCPiz7mSrelhNA+i2BMWZP/JU2QY4VeI+PP
         eZUFvfVFSe0W/qsEiVHhTii0yn3OyTA/WJIeUQjDdCB5EDIyeiXlbciCG6IZJZW5Rjrs
         UUEA==
X-Received: by 10.182.56.195 with SMTP id c3mr33978680obq.82.1448659307469;
 Fri, 27 Nov 2015 13:21:47 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.202.73.198 with HTTP; Fri, 27 Nov 2015 13:21:08 -0800 (PST)
In-Reply-To: <56588DBA.9070209@cubiclesoft.com>
References: <CAF+90c_pVFVbzqThuPg1V3VDTV-7Ci4O6T6hNtY5XPgVb2Mt-Q@mail.gmail.com>
 <CANUQDChV=WRM6WQiNBq4-9JrvwxF_NY5YbGj3-tvgsPgQbc_pg@mail.gmail.com>
 <CAF+90c9GNzszV-nKfzD=1SGLpJoAfNtok45p7sSQz9A5TqdAdg@mail.gmail.com> <56588DBA.9070209@cubiclesoft.com>
Date: Sat, 28 Nov 2015 06:21:08 +0900
X-Google-Sender-Auth: IX9Li4FV88n1Im13k4KUiHF1T3Y
Message-ID: <CAGa2bXY1hR6rwi+hX3ubSpM3-H7ruK5FAQ=KZemKZPHYfw6FdA@mail.gmail.com>
To: Thomas Hruska <thruska@cubiclesoft.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] HashDos protection
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Thomas,

On Sat, Nov 28, 2015 at 2:07 AM, Thomas Hruska <thruska@cubiclesoft.com> wrote:
> I don't know if anyone has suggested this before, but why not have a
> function that application developers can call to switch hash modes and
> support multiple hash modes in the core?
>
> I've always viewed 'max_input_vars' as an emergency hack and I've run into
> the default 1,000 limit many times.  When I hit that limit, I inevitably
> have to raise it to anywhere from 3,000 to 10,000 to get the target
> application to function, which, of course, puts the whole server at risk.

Because any hash functions have collisions.
Even if we use stronger hash against collisions, computers are getting
faster and faster, creating colliding key datatabease becomes easier and
easier. Clever person may find algolithmic way to generate colliding keys
in the future also.

In practice, we wouldn't have problems with max number of collisions.
Max number of collisions resolves the issue for good and we may execute
code faster with faster hash. I forgot the number but SipHash is much slower
than DJB.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net