Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96050 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 29123 invoked from network); 21 Sep 2016 12:37:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2016 12:37:37 -0000 Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.42 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.42 mail-wm0-f42.google.com Received: from [74.125.82.42] ([74.125.82.42:35380] helo=mail-wm0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 67/23-04117-11F72E75 for ; Wed, 21 Sep 2016 08:37:37 -0400 Received: by mail-wm0-f42.google.com with SMTP id l132so266053009wmf.0 for ; Wed, 21 Sep 2016 05:37:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=user-agent:in-reply-to:references:mime-version :content-transfer-encoding:subject:from:date:to:message-id; bh=V6izpIHeQrP8FHcUxn/M8RpMOfO0nf+dSNmfHG1ci7U=; b=SZkuc158j733jcCQfv0XCg1StU742bWrp6Yy80DlUuz26PexpzJriwEhrwVoC3tzOU 9th9WfkUTz3+XIGn2VleqSiP8Vjbv8OGlwizWAaWerJdELn1N2YL4rUE7/rhIuO5oNsL frJtFOkACcNepqYWLAa7fsr7sDij0ImLYtHn7kLMZhtjzkTn3Us9EHMy28oDEubMdxNH rNXjtkQ5y42jHa8XU0djJKNmnKWaJKQC/XrHU/7BAUzL66fmz1CkDhuAZCP9rdoyn+Sz /l+UI16qEIX6mAx9iOuV2yi1lIbtwlmbTmQ8/maRuwkGi8TgBSyCvAVKqj8WezCKNRMB JfjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:in-reply-to:references:mime-version :content-transfer-encoding:subject:from:date:to:message-id; bh=V6izpIHeQrP8FHcUxn/M8RpMOfO0nf+dSNmfHG1ci7U=; b=FoxdRlgFIL2tx8oa6cqPbsIk99A6UqkTSM6B8oIL2eYWndZ5oX2omNXNpfyvgxrQkO 4LUPBDQV1hjm39qfILX26160JZozGxkVxCssXtOicgBeBhCGm63Fv4RzZEzEl4Dn+e57 uvibtGdxpxpjY+/iJZ4YyFyGH85MBhSvCyDu9c20UmvkL20xjW+0crvoMf6WPRhQSl69 20C+1ZH1dy9sL6LU7CYcqWzcq+Ewo0WPZQt+yHR6F4YT+0kHnIQ/yHw9C39eoItCSHkv z/OgjB89arYDGXHOtzcytYGECG/hp4nFQC/hoJCcem3jq8dqDhPyQsSj6La+uC3O2zL4 mJKA== X-Gm-Message-State: AE9vXwNIXgCsIi9xYcq/v4jmP7gPiZ5INgepZIHq8DVW6V/lPuzJpMYAX+2+j6AstZjIKw== X-Received: by 10.195.12.4 with SMTP id em4mr32093340wjd.32.1474461454294; Wed, 21 Sep 2016 05:37:34 -0700 (PDT) Received: from [10.92.70.162] (94.197.121.206.threembb.co.uk. [94.197.121.206]) by smtp.gmail.com with ESMTPSA id ab9sm33430044wjc.7.2016.09.21.05.37.33 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Sep 2016 05:37:33 -0700 (PDT) User-Agent: K-9 Mail for Android In-Reply-To: References: <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com> <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Date: Wed, 21 Sep 2016 13:37:29 +0100 To: PHP Internals Message-ID: <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> Subject: Re: [PHP-DEV] HashDoS From: rowan.collins@gmail.com (Rowan Collins) On 21 September 2016 13:02:20 BST, Glenn Eggleton wrote: >What if we had some sort of configuration limit on collision length? Previous discussions have come to the conclusion that the difference between normal collision frequency and sufficient for a DoS is so large that the only meaningful settings would be on or off. e.g. the proposed limit is 1000, and randomly inserting millions of rows produces about 12. The problem with long running applications is not that they need to raise the limit, it's that they need to handle the error gracefully if they are in fact under attack. Because hash tables are so ubiquitous in the engine, there's no guarantee that that's possible, so an attacker would have the ability to crash the process with the limit turned on, or hang the CPU with the limit turned off. Regards, -- Rowan Collins [IMSoP]