Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96064 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 53212 invoked from network); 21 Sep 2016 15:00:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2016 15:00:16 -0000 Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.180 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.161.180 mail-yw0-f180.google.com Received: from [209.85.161.180] ([209.85.161.180:33543] helo=mail-yw0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F1/F7-04117-F70A2E75 for ; Wed, 21 Sep 2016 11:00:15 -0400 Received: by mail-yw0-f180.google.com with SMTP id i129so57559555ywb.0 for ; Wed, 21 Sep 2016 08:00:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=sBmLYFHx9i7laSUn/Z83Eppk95FFXi0Z8zrhB3GmMx8=; b=cTtg3ymv3kRxzel6g2SzJcZzrYL1BJPGhLtlOHw78crtGy7GFzfDecNx7efukYqAL9 goGpTwi45Dnol54ojiBBngM5TEnRuRSbvXd3nclaOHPpyngP/SzaytaRF7E27/PvGiiB ws6K/hnZAW6ERyTuou2Mm3J3vBmYtLyH7OGI1NKHWCYPk5tGPE/+fxKgCEKMiAZ4tA+J q83YJ6X3YaqFCTGJ+U+oAAytYHcoh9BtXqEz7vfAbjGuhL1K2jpwJdBfAZIqLU3gCpeC lmPeAHF6VtzqlgwYNBzWNv4h1mr28X7WuU+erAk029UHKe/h0BsiWP2GDDaZOYwekGza 5mdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=sBmLYFHx9i7laSUn/Z83Eppk95FFXi0Z8zrhB3GmMx8=; b=Fui2GNkMFQlF6+yvYKYFsyRPoiZuZwPyctnt0I7jNz2YVe/0NW3vBp+dR/P9usXmrg yMU/1GPXdLEwaUS+gC0CEKB0KsHzp2PdVEcritF3xNAJOdN5H6ajU/b5ix43nqnUHExK GAEqBw6UuB6vgCAWnr910HXc/A8cWvyrJyCsz2BBIMKvz7PNyU1O7782FF2B7JgcUYZe TZ5VU5mXkOckOJlNPQej8r1j3R4FrJzIRCZX86s1MuURtDruIw+BiXcw86MhfYMrbNKp jQtNn3wgVZnoaAo341qbomCTldxH/xlMthYtQ3NmrLZ4anr7V3or3ZDKvGUEBWw7GCgD zbnQ== X-Gm-Message-State: AE9vXwOl3v8HrIokhtjHtVw6J24xLCqmLDuW9MDBDSI6shiwSQsGhsjbZfiJb9sROXtunMab4s1rJvDeuhco7g== X-Received: by 10.13.239.6 with SMTP id y6mr35048151ywe.315.1474470012401; Wed, 21 Sep 2016 08:00:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.13.215.150 with HTTP; Wed, 21 Sep 2016 08:00:11 -0700 (PDT) In-Reply-To: References: <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com> <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> Date: Wed, 21 Sep 2016 17:00:11 +0200 Message-ID: To: Glenn Eggleton Cc: Tom Worster , Rowan Collins , PHP Internals Content-Type: multipart/alternative; boundary=94eb2c034e08524168053d05cddf Subject: Re: [PHP-DEV] HashDoS From: nikita.ppv@gmail.com (Nikita Popov) --94eb2c034e08524168053d05cddf Content-Type: text/plain; charset=UTF-8 On Wed, Sep 21, 2016 at 4:49 PM, Glenn Eggleton wrote: > This might be a bit off topic.... > > Given that you can set POST_REQUEST_SIZE in a production PHP application, > how likely is it really that an app will encounter a HashDos attack? > > From what I gather this will require MBs to GBs of data in order to cause > a DoS. > > From the web side, I think there are enough tools to prevent HashDos from > happening... > > Would the issue then affect only CLI users? > > Sorry, if this seems like a derail, I am pretty new to the internals list. > > Cheers, Glenn > Again quoting previous thread: > This DOS vulnerability is efficient: A 700kb payload can easily take 5 CPU seconds to process on PHP 7 and from there it goes up quadratically (i.e. 1.4MB payload takes 20 seconds etc) I don't remember exactly under what circumstances these numbers are correct. I think the sizes refer to JSON payloads and the system is a recent gen i5. So for the default post_max_size of 8M = approx 11*700kb we get an expected execution time of 5*(11)^2 seconds, which is about 10 minutes. Of course, the execution time limit will trigger before that :) So unless your post data size limit is very small or you perform additional size validation on JSON data (and other data) you receive, this attack is quite practical and not just a theoretical concern :) Nikita --94eb2c034e08524168053d05cddf--