Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96086 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 1062 invoked from network); 21 Sep 2016 23:23:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2016 23:23:23 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.45 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.218.45 mail-oi0-f45.google.com Received: from [209.85.218.45] ([209.85.218.45:33752] helo=mail-oi0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DC/60-04117-96613E75 for ; Wed, 21 Sep 2016 19:23:23 -0400 Received: by mail-oi0-f45.google.com with SMTP id r126so78753192oib.0 for ; Wed, 21 Sep 2016 16:23:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=MgjzCRezxdvEpHGG6D58Un1JliwkGC2+PfPx5KoWgDg=; b=b/MKhuzvU7YGwmjGbaNMiS+JZoCncB/lwoXXTQ2VCa27wSiqN3q+PCsQSwEQvuTMBK 7T2LOoiYYOC1ryux3lDexA8SN1+yTMyTduAxTjk/z4rg/R0ciPGv6DyU35bDJ68LbgmV JAe4+c28e++Ck4TBbSvfS55r7+/X1LSzEqRgt1oF/q1EeXlH9rC0PO6JSguwDEL4S00d BnhR8r03ByC0Dr+FlCAgcZ0yVIzZg8cXB6ogzB4mgy85UXrrSLCcZVhcRGFIf9w86EaX zfLWrl/NTTUbxSbcPqv8phr0sjxzpTCwDg0ozXWCRy4p9h/KbGceAzsdqHmCcs7dG+mt 1OtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=MgjzCRezxdvEpHGG6D58Un1JliwkGC2+PfPx5KoWgDg=; b=ZRTw7o1INMnUSJY9/UxvxsMxk1w3g2hFSYwFyTYbw0D6galDLERMbvgiUFSW8vQd6q A3+xJ+7Ien8ztPodcy+z3PD6Rb+2tmXagxV3nu+BKL3fIODWqfFYetdQ/Q1vSVNt9tpQ zrSvw0qCwhCdoKEuwJK/Gi0pttf8rnIJwTsNffE2Xc4wg0KaEqE8YSBha3FtpTx+udn9 v7o+VkJZYNp78YUVqGILYvz8Thd+n/eMqWZS57XyLmm6yHYp+cgFxqRVB4haSd34iQIh ZdeUO7YcphZYGAXuZIEj3s1RmwL6bkKQ37pDKCAGLeuXdcdhfSRGuOqbCRCpHtsXGwAi 5EVw== X-Gm-Message-State: AE9vXwOqNe+Yu78SE5djBqZDk/gsSGLovIOq8bOI/AMa7yEkYtSsgbOpW3EUUu4xgPXrlQ== X-Received: by 10.202.84.67 with SMTP id i64mr525559oib.100.1474500198381; Wed, 21 Sep 2016 16:23:18 -0700 (PDT) Received: from [192.168.2.102] (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104]) by smtp.gmail.com with ESMTPSA id 68sm7851617otw.11.2016.09.21.16.23.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Sep 2016 16:23:17 -0700 (PDT) To: Nikita Popov References: <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com> <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> Cc: PHP Internals Message-ID: <88433a67-3121-bacb-5db4-89c337914c5b@gmail.com> Date: Wed, 21 Sep 2016 16:23:16 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] HashDoS From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > I'm not so sure of this now - unless, again, I misunderstand what we're > counting. It just occurred to me that I possibly do misunderstand what is counted - if the proposal is to count collisions per lookup. I rerun my scripts with that assumption and turns out the longest collision chain I have is about 8. So in this case - if I'm understanding it right now - my argument about limit is wrong and collision chain length *is* like recursion. In which case some limit like 1000 (just random number but can be tested) would probably be OK. The question now is would it be enough to block DoS? I.e. if we construct data to cause 999 collisions each time to stay just under the limit, can we still cause trouble or not? It's still almost 1000 times slower it's supposed to be... P.S. Sorry for the confusion and the noise, I hope I got the proposed solution right this time. -- Stas Malyshev smalyshev@gmail.com