Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96118
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 62404 invoked from network); 23 Sep 2016 20:24:29 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Sep 2016 20:24:29 -0000
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.45 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.213.45 mail-vk0-f45.google.com  
Received: from [209.85.213.45] ([209.85.213.45:36604] helo=mail-vk0-f45.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 44/32-51000-C7F85E75 for <internals@lists.php.net>; Fri, 23 Sep 2016 16:24:29 -0400
Received: by mail-vk0-f45.google.com with SMTP id d8so1332263vka.3
        for <internals@lists.php.net>; Fri, 23 Sep 2016 13:24:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=+l4DtVH3zvZqIYT7vki9Hw7sg55MnH+ux9O8qECVB70=;
        b=Qflo+eljGrN/rjaFEs9hXDGNH/cg0cVyEfAWxRcyiqKr9bDqQplgo73j1Ye/cYJJT0
         XjDyf4hYzSvqDf2uJI3OGSAH7zWekpqiVSNWT0xuR2AcpsHWCPUgiL9KC8KCnw9HhFIR
         DZVd0Z8wZbumY9IJbpeZQdRq6IxihLrFLotbSWxD59eTQ36KmJ/OwX8gqpApPFEoCHUs
         G13Thh/NkUGs/oYEvK9uP3MUMdC1inPtXyUPqH+q/Uul3B5ICXTTobM4kBgkeZ1pAykU
         4AXP40Zch2aKVl+HlaAG/XPfmgIw/MFsbd6yFKlB+Q49FofrVi0nRw6zNjcb22nKsuqD
         gHEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=+l4DtVH3zvZqIYT7vki9Hw7sg55MnH+ux9O8qECVB70=;
        b=g938Nh+O5IAp8n6qZhloZ1DqMjccPuSb45YxoVpkcH2VCOnp3ASBwWd/R75XBtjGgZ
         Z705zvPYUur1mp1AvyDVCiyJAvbeG13S4RrpnY0QPR0OI5zsW5WmZfWaIgQIdG09wpM4
         EHV1ISPkXLSZfuzEbkie2pSwXNs6xQ6mSqF7VzSkQ2l0xJNOXieKVgut+P77gCgyFn0k
         Xcw3fI0hOOEijn0DaEZcmtsBlPtULlzU2GQBZB5buNb2rfWdlCgyzboDbe3K2pmbkSos
         Ep5nCDxxoei6u6AU0G+dBlK0fPChlwFpewDQViN/p6+cpN6os9oFx8IfPgkKpPoJhMYH
         cCfg==
X-Gm-Message-State: AA6/9Rl5Y0lhaLjp/On2iCQoUdK+FjNpaaCz6QTT6IHF7cBZxUPevodjSKIOXRSp1e9Rfn9i7uz9HLAdxM0BvA==
X-Received: by 10.31.163.134 with SMTP id m128mr207904vke.70.1474662265354;
 Fri, 23 Sep 2016 13:24:25 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.31.174.151 with HTTP; Fri, 23 Sep 2016 13:24:24 -0700 (PDT)
In-Reply-To: <67e0478d-534a-1f8a-6b4c-a95573784001@gmail.com>
References: <CAKws9z2EWkNNhM7tOMh-_pQ3iLjVj7hbXTB1Hh3a19utPzj-9A@mail.gmail.com>
 <d2080444-9a17-b3db-89fa-c383155a5756@thefsb.org> <CAF+90c-uFg9A2f1SVYTNgjQuFX5PkenrtXd8kf37cYoG0EfgEw@mail.gmail.com>
 <edeb9734-a3d4-bd96-f57c-fa1687473e1b@gmail.com> <CAF+90c9HTpxtY8zeKoOfjdQXTkrVQSw8fb9Ws0-Qs_xmJtttZw@mail.gmail.com>
 <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <CAEKnhAGg829gi7uEBimZqdd-cTvAn4a1HmjDfEoYeLO93_L2wQ@mail.gmail.com>
 <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <CAEKnhAF9XGsLqHU5H9aKDA=jWA5iD1ou8UwOX0=OpAC8tnzXdQ@mail.gmail.com>
 <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> <CAEKnhAG50eG4RQSRjoZGFkSF_as1DZN5OrBWadyQG-chHDuVhw@mail.gmail.com>
 <d430f3ce-38fe-bfd8-95a0-d78132f9985d@gmail.com> <BLU437-SMTP86FE3BC2E445E56074B889E2C90@phx.gbl>
 <e176001f-0ab7-6d6c-adfe-8d4a31f1337b@gmail.com> <BLU437-SMTP5652D9C5B9D2AC92E4505DE2C80@phx.gbl>
 <b653d6cd-1c3a-f531-4e4f-ccebeefbd3c3@gmail.com> <CAEKnhAHM4k4w2g0cxiNM-RH=_mvWjm8a-m7jdCL63SEvjRYQsg@mail.gmail.com>
 <67e0478d-534a-1f8a-6b4c-a95573784001@gmail.com>
Date: Fri, 23 Sep 2016 21:24:24 +0100
X-Google-Sender-Auth: WG5kR31PhKt1t2CVRovSeN4BkTw
Message-ID: <CAEKnhAFhdFdG3v2NpSRqwm3GuVLe=u=LV1bU7Rh+9F6Pjh=R+g@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: Bob Weinand <bobwei9@hotmail.com>, PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1142d3c47d7fdb053d32906d
Subject: Re: [PHP-DEV] HashDoS
From: bukka@php.net (Jakub Zelenka)

--001a1142d3c47d7fdb053d32906d
Content-Type: text/plain; charset=UTF-8

Hi

On Fri, Sep 23, 2016 at 8:47 PM, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
> > That's exactly what we don't want - let the attacker to end our request.
>
> Why not? What else you can do with this request that has clearly bad and
> maliciously constructed data?
>
>
I think there is a confusion about the "servers written in PHP". Those
applications serves more requests in a single (main) PHP request using the
even loop. Good examples of that are Aerys or ReactPHP. So we don't want to
kill that main request if one of the handled requests is malicious (ideally
we just ignore that malicious request and server others).


> > All other things like string overflows and memory limits are under our
> > control (e.g. we can set limit on the server and reject such requests)
>
> Not sure I understand what you mean. How exactly memory limits are under
> your control? If somebody sends a request that blows up your memory
> limit, how you control it? In fact, if somebody sends, say, a POST that
> goes above your post limit - how you handle it without terminating the
> request?


Usually you will have it behind proxy so you can terminate it there if the
request is too big. For example you could set client_max_body_size in
nginx. However we can't effectively catch HashDos by the size because it
can be relatively small request (see nice description of that in one of the
previous emails from Nikita...).

Cheers

Jakub

--001a1142d3c47d7fdb053d32906d--