Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96086
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 1062 invoked from network); 21 Sep 2016 23:23:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Sep 2016 23:23:23 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.45 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.218.45 mail-oi0-f45.google.com  
Received: from [209.85.218.45] ([209.85.218.45:33752] helo=mail-oi0-f45.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DC/60-04117-96613E75 for <internals@lists.php.net>; Wed, 21 Sep 2016 19:23:23 -0400
Received: by mail-oi0-f45.google.com with SMTP id r126so78753192oib.0
        for <internals@lists.php.net>; Wed, 21 Sep 2016 16:23:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:cc:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding;
        bh=MgjzCRezxdvEpHGG6D58Un1JliwkGC2+PfPx5KoWgDg=;
        b=b/MKhuzvU7YGwmjGbaNMiS+JZoCncB/lwoXXTQ2VCa27wSiqN3q+PCsQSwEQvuTMBK
         7T2LOoiYYOC1ryux3lDexA8SN1+yTMyTduAxTjk/z4rg/R0ciPGv6DyU35bDJ68LbgmV
         JAe4+c28e++Ck4TBbSvfS55r7+/X1LSzEqRgt1oF/q1EeXlH9rC0PO6JSguwDEL4S00d
         BnhR8r03ByC0Dr+FlCAgcZ0yVIzZg8cXB6ogzB4mgy85UXrrSLCcZVhcRGFIf9w86EaX
         zfLWrl/NTTUbxSbcPqv8phr0sjxzpTCwDg0ozXWCRy4p9h/KbGceAzsdqHmCcs7dG+mt
         1OtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:cc:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=MgjzCRezxdvEpHGG6D58Un1JliwkGC2+PfPx5KoWgDg=;
        b=ZRTw7o1INMnUSJY9/UxvxsMxk1w3g2hFSYwFyTYbw0D6galDLERMbvgiUFSW8vQd6q
         A3+xJ+7Ien8ztPodcy+z3PD6Rb+2tmXagxV3nu+BKL3fIODWqfFYetdQ/Q1vSVNt9tpQ
         zrSvw0qCwhCdoKEuwJK/Gi0pttf8rnIJwTsNffE2Xc4wg0KaEqE8YSBha3FtpTx+udn9
         v7o+VkJZYNp78YUVqGILYvz8Thd+n/eMqWZS57XyLmm6yHYp+cgFxqRVB4haSd34iQIh
         ZdeUO7YcphZYGAXuZIEj3s1RmwL6bkKQ37pDKCAGLeuXdcdhfSRGuOqbCRCpHtsXGwAi
         5EVw==
X-Gm-Message-State: AE9vXwOqNe+Yu78SE5djBqZDk/gsSGLovIOq8bOI/AMa7yEkYtSsgbOpW3EUUu4xgPXrlQ==
X-Received: by 10.202.84.67 with SMTP id i64mr525559oib.100.1474500198381;
        Wed, 21 Sep 2016 16:23:18 -0700 (PDT)
Received: from [192.168.2.102] (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104])
        by smtp.gmail.com with ESMTPSA id 68sm7851617otw.11.2016.09.21.16.23.17
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 21 Sep 2016 16:23:17 -0700 (PDT)
To: Nikita Popov <nikita.ppv@gmail.com>
References: <CAKws9z2EWkNNhM7tOMh-_pQ3iLjVj7hbXTB1Hh3a19utPzj-9A@mail.gmail.com>
 <e741fec3-b301-647c-b24c-dec2fa92554c@gmail.com>
 <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com>
 <CAKws9z38_QhH8rnshJu=SP1Aav7jhMnVR2H992+Lse7iMeQ3oA@mail.gmail.com>
 <ffc669b5-8764-3879-0c5a-d047d75c9b45@gmail.com>
 <CAGa2bXYad=5CNKUR4GTR-uB8L1Gb-2CJk5Fiperz5D_CTL+rxw@mail.gmail.com>
 <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com>
 <CAGa2bXYNZwKrT=Ei8r1DghGjqOGiMUVPEGY31wYK9Hpt+C9XMQ@mail.gmail.com>
 <CANUQDCjcnFdPyG133z6g0DdRLZjUG=+BRhcv4Es9Z+WeoU-Prg@mail.gmail.com>
 <CAFGtT7Zd3+iRuaJtwpML3hO6Kbdu7YtnNOE14zvA78E=QiNprg@mail.gmail.com>
 <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com>
 <d2080444-9a17-b3db-89fa-c383155a5756@thefsb.org>
 <CAF+90c-uFg9A2f1SVYTNgjQuFX5PkenrtXd8kf37cYoG0EfgEw@mail.gmail.com>
 <edeb9734-a3d4-bd96-f57c-fa1687473e1b@gmail.com>
Cc: PHP Internals <internals@lists.php.net>
Message-ID: <88433a67-3121-bacb-5db4-89c337914c5b@gmail.com>
Date: Wed, 21 Sep 2016 16:23:16 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <edeb9734-a3d4-bd96-f57c-fa1687473e1b@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] HashDoS
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> I'm not so sure of this now - unless, again, I misunderstand what we're
> counting.

It just occurred to me that I possibly do misunderstand what is counted
- if the proposal is to count collisions per lookup.

I rerun my scripts with that assumption and turns out the longest
collision chain I have is about 8. So in this case - if I'm
understanding it right now - my argument about limit is wrong and
collision chain length *is* like recursion.

In which case some limit like 1000 (just random number but can be
tested) would probably be OK. The question now is would it be enough to
block DoS? I.e. if we construct data to cause 999 collisions each time
to stay just under the limit, can we still cause trouble or not? It's
still almost 1000 times slower it's supposed to be...

P.S. Sorry for the confusion and the noise, I hope I got the proposed
solution right this time.
-- 
Stas Malyshev
smalyshev@gmail.com