Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96064
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53212 invoked from network); 21 Sep 2016 15:00:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Sep 2016 15:00:16 -0000
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.180 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.161.180 mail-yw0-f180.google.com  
Received: from [209.85.161.180] ([209.85.161.180:33543] helo=mail-yw0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F1/F7-04117-F70A2E75 for <internals@lists.php.net>; Wed, 21 Sep 2016 11:00:15 -0400
Received: by mail-yw0-f180.google.com with SMTP id i129so57559555ywb.0
        for <internals@lists.php.net>; Wed, 21 Sep 2016 08:00:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=sBmLYFHx9i7laSUn/Z83Eppk95FFXi0Z8zrhB3GmMx8=;
        b=cTtg3ymv3kRxzel6g2SzJcZzrYL1BJPGhLtlOHw78crtGy7GFzfDecNx7efukYqAL9
         goGpTwi45Dnol54ojiBBngM5TEnRuRSbvXd3nclaOHPpyngP/SzaytaRF7E27/PvGiiB
         ws6K/hnZAW6ERyTuou2Mm3J3vBmYtLyH7OGI1NKHWCYPk5tGPE/+fxKgCEKMiAZ4tA+J
         q83YJ6X3YaqFCTGJ+U+oAAytYHcoh9BtXqEz7vfAbjGuhL1K2jpwJdBfAZIqLU3gCpeC
         lmPeAHF6VtzqlgwYNBzWNv4h1mr28X7WuU+erAk029UHKe/h0BsiWP2GDDaZOYwekGza
         5mdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=sBmLYFHx9i7laSUn/Z83Eppk95FFXi0Z8zrhB3GmMx8=;
        b=Fui2GNkMFQlF6+yvYKYFsyRPoiZuZwPyctnt0I7jNz2YVe/0NW3vBp+dR/P9usXmrg
         yMU/1GPXdLEwaUS+gC0CEKB0KsHzp2PdVEcritF3xNAJOdN5H6ajU/b5ix43nqnUHExK
         GAEqBw6UuB6vgCAWnr910HXc/A8cWvyrJyCsz2BBIMKvz7PNyU1O7782FF2B7JgcUYZe
         TZ5VU5mXkOckOJlNPQej8r1j3R4FrJzIRCZX86s1MuURtDruIw+BiXcw86MhfYMrbNKp
         jQtNn3wgVZnoaAo341qbomCTldxH/xlMthYtQ3NmrLZ4anr7V3or3ZDKvGUEBWw7GCgD
         zbnQ==
X-Gm-Message-State: AE9vXwOl3v8HrIokhtjHtVw6J24xLCqmLDuW9MDBDSI6shiwSQsGhsjbZfiJb9sROXtunMab4s1rJvDeuhco7g==
X-Received: by 10.13.239.6 with SMTP id y6mr35048151ywe.315.1474470012401;
 Wed, 21 Sep 2016 08:00:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.150 with HTTP; Wed, 21 Sep 2016 08:00:11 -0700 (PDT)
In-Reply-To: <CAFGtT7YCm+y7aOqqaTP1i_XeFT-TU0kfCF-RCC6TXcZeAzgsxA@mail.gmail.com>
References: <CAKws9z2EWkNNhM7tOMh-_pQ3iLjVj7hbXTB1Hh3a19utPzj-9A@mail.gmail.com>
 <e741fec3-b301-647c-b24c-dec2fa92554c@gmail.com> <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com>
 <CAKws9z38_QhH8rnshJu=SP1Aav7jhMnVR2H992+Lse7iMeQ3oA@mail.gmail.com>
 <ffc669b5-8764-3879-0c5a-d047d75c9b45@gmail.com> <CAGa2bXYad=5CNKUR4GTR-uB8L1Gb-2CJk5Fiperz5D_CTL+rxw@mail.gmail.com>
 <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <CAGa2bXYNZwKrT=Ei8r1DghGjqOGiMUVPEGY31wYK9Hpt+C9XMQ@mail.gmail.com>
 <CANUQDCjcnFdPyG133z6g0DdRLZjUG=+BRhcv4Es9Z+WeoU-Prg@mail.gmail.com>
 <CAFGtT7Zd3+iRuaJtwpML3hO6Kbdu7YtnNOE14zvA78E=QiNprg@mail.gmail.com>
 <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <d2080444-9a17-b3db-89fa-c383155a5756@thefsb.org>
 <CAF+90c-uFg9A2f1SVYTNgjQuFX5PkenrtXd8kf37cYoG0EfgEw@mail.gmail.com> <CAFGtT7YCm+y7aOqqaTP1i_XeFT-TU0kfCF-RCC6TXcZeAzgsxA@mail.gmail.com>
Date: Wed, 21 Sep 2016 17:00:11 +0200
Message-ID: <CAF+90c9bw5bSfVg7WxoZTDdkYtn8uAW8TyiGo6PzS-Cojv8QOA@mail.gmail.com>
To: Glenn Eggleton <geggleto@gmail.com>
Cc: Tom Worster <fsb@thefsb.org>, Rowan Collins <rowan.collins@gmail.com>, 
	PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=94eb2c034e08524168053d05cddf
Subject: Re: [PHP-DEV] HashDoS
From: nikita.ppv@gmail.com (Nikita Popov)

--94eb2c034e08524168053d05cddf
Content-Type: text/plain; charset=UTF-8

On Wed, Sep 21, 2016 at 4:49 PM, Glenn Eggleton <geggleto@gmail.com> wrote:

> This might be a bit off topic....
>
> Given that you can set POST_REQUEST_SIZE in a production PHP application,
> how likely is it really that an app will encounter a HashDos attack?
>
> From what I gather this will require MBs to GBs of data in order to cause
> a DoS.
>
> From the web side, I think there are enough tools to prevent HashDos from
> happening...
>
> Would the issue then affect only CLI users?
>
> Sorry, if this seems like a derail, I am pretty new to the internals list.
>
> Cheers, Glenn
>

Again quoting previous thread:

> This DOS vulnerability is efficient: A 700kb payload can easily take 5
CPU seconds to process on PHP 7 and from there it goes up quadratically
(i.e. 1.4MB payload takes 20 seconds etc)

I don't remember exactly under what circumstances these numbers are
correct. I think the sizes refer to JSON payloads and the system is a
recent gen i5. So for the default post_max_size of 8M = approx 11*700kb we
get an expected execution time of 5*(11)^2 seconds, which is about 10
minutes. Of course, the execution time limit will trigger before that :)

So unless your post data size limit is very small or you perform additional
size validation on JSON data (and other data) you receive, this attack is
quite practical and not just a theoretical concern :)

Nikita

--94eb2c034e08524168053d05cddf--