Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96063 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 51326 invoked from network); 21 Sep 2016 14:49:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2016 14:49:22 -0000 Authentication-Results: pb1.pair.com header.from=geggleto@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=geggleto@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.46 as permitted sender) X-PHP-List-Original-Sender: geggleto@gmail.com X-Host-Fingerprint: 209.85.215.46 mail-lf0-f46.google.com Received: from [209.85.215.46] ([209.85.215.46:33626] helo=mail-lf0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 38/97-04117-1FD92E75 for ; Wed, 21 Sep 2016 10:49:22 -0400 Received: by mail-lf0-f46.google.com with SMTP id b71so17354609lfg.0 for ; Wed, 21 Sep 2016 07:49:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8DfP5h77O92wYXNku1EeXsZ5BrY2OrdqBlscJZ5qYoc=; b=ro0CZsobkIF2MWVpAeAh4arxAy9VZvc5UccRg7uomdrwU1bnAQsttjsOD06YcuRPtb 7eaDPUpL0zcCL5ZnRJoGCB7DsnlciQT/oaKxssLrEjV3ZDQ+TZUtDfIvYhOutc+9DLWd qmHXLZngxOmqhszO8ZDM433AimiC3KlrBBaiZLuyQGo/7k5Z1KCC37jI62zDRlFFRvAp KKPQACyHCSTjCmErBio4PCLIFaHTACncebEHFdG0ufoXSN1RyVBUAYSMaO59nvx4e6Hn Gkf8bWTf+pHfFXIA9xS+lTcDsJs5qIoavgwM+3DYnEBnyJTG1ZGa6LmuLjluo09kdPdf Cahg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8DfP5h77O92wYXNku1EeXsZ5BrY2OrdqBlscJZ5qYoc=; b=UtChlpsVaU2dUVAfxaw7rEy2yblI6Mg5fumcNYLGOb6WVWF3CZgqx81xtPQdlxnpLb GSbhGS/qkaUdK1+v567SDQtL8PEdt3YE0bGjiZdPaFNPHzPs7S11SFO8BWE8A7LueOaf BEH2PJbMmLHGPjQqleh4N3DdXEgA36mE8dzjDIMKXgzxLWiK7GQeniPqOO87/xn8sVev Jd4K5sAcFC0qNfHRHHcLsGfXuq7PpWXw7/xd52q8t3poSdoXTWl1vhet9u/VlKzs1xMB uUjfoPvflwqPYUNNeSiDlqcrXVRC5AU7aSL7xKcB1riuoPxr3sN8vLZXvjfbBzaV+7BC 2/oQ== X-Gm-Message-State: AE9vXwNTE13U3npCdfy+IeHrQeN6DJS4ybEqVIChy5hcHqVg7ZDa0UBTbCZv2H2nUgs089PkRp6GDjmRaptkog== X-Received: by 10.46.5.8 with SMTP id 8mr6415244ljf.66.1474469358157; Wed, 21 Sep 2016 07:49:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.158.2 with HTTP; Wed, 21 Sep 2016 07:49:17 -0700 (PDT) In-Reply-To: References: <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com> <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> Date: Wed, 21 Sep 2016 10:49:17 -0400 Message-ID: To: Nikita Popov Cc: Tom Worster , Rowan Collins , PHP Internals Content-Type: multipart/alternative; boundary=001a114a6de25351db053d05a623 Subject: Re: [PHP-DEV] HashDoS From: geggleto@gmail.com (Glenn Eggleton) --001a114a6de25351db053d05a623 Content-Type: text/plain; charset=UTF-8 This might be a bit off topic.... Given that you can set POST_REQUEST_SIZE in a production PHP application, how likely is it really that an app will encounter a HashDos attack? From what I gather this will require MBs to GBs of data in order to cause a DoS. From the web side, I think there are enough tools to prevent HashDos from happening... Would the issue then affect only CLI users? Sorry, if this seems like a derail, I am pretty new to the internals list. Cheers, Glenn On Wed, Sep 21, 2016 at 10:23 AM, Nikita Popov wrote: > On Wed, Sep 21, 2016 at 4:05 PM, Tom Worster wrote: > > > On 9/21/16 8:37 AM, Rowan Collins wrote: > > > >> On 21 September 2016 13:02:20 BST, Glenn Eggleton > >> wrote: > >> > >>> What if we had some sort of configuration limit on collision length? > >>> > >> > >> Previous discussions have come to the conclusion that the difference > >> between normal collision frequency and sufficient for a DoS is so large > >> that the only meaningful settings would be on or off. e.g. the proposed > >> limit is 1000, and randomly inserting millions of rows produces about > 12. > >> > >> The problem with long running applications is not that they need to > raise > >> the limit, it's that they need to handle the error gracefully if they > are > >> in fact under attack. Because hash tables are so ubiquitous in the > engine, > >> there's no guarantee that that's possible, so an attacker would have the > >> ability to crash the process with the limit turned on, or hang the CPU > with > >> the limit turned off. > >> > > > > Right. It seems like count-and-limit pushes the problem onto the user who > > then has to discriminate normal from malicious causes for rising counters > > and find appropriate actions for each. > > > > Even a sophisticated user who understands hash collision counters may not > > welcome this since it adds complexity that's hard to test and involves > > questionable heuristics. > > > > Tom > > > > Quoting a relevant part of the previous discussion: > > > Lets [try] to quantify the probability of reaching the collision limit C > with a hashtable of size N and assuming a random hash distribution. The > upper bound for this should be (N choose C) * (1/N)^(C-1), with (1/N)^(C-1) > being the probability that C elements hash to one value and (N over C) the > number of C element subsets of an N element set. For large N and N >> C we > approximate (N choose C) to (e*N/C)^C / sqrt(2pi*C). As such our upper > bound becomes N * (e/C)^C / sqrt(2pi*C). Choosing N = 2^31 (largest > possible hashtable) we get for C = 20 probability 8.9E-10 and for C = 100 > probability 2.3E-149. The patch uses C = 1000. > > In other words, it is extremely unlikely that you hit the collision limit > by accident, with non-malicious data. So no, the user does not have to > discriminate normal from malicious causes. If the limit triggers, it's > malicious. > > Nikita > --001a114a6de25351db053d05a623--