Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96118 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 62404 invoked from network); 23 Sep 2016 20:24:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Sep 2016 20:24:29 -0000 Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.45 as permitted sender) X-PHP-List-Original-Sender: jakub.php@gmail.com X-Host-Fingerprint: 209.85.213.45 mail-vk0-f45.google.com Received: from [209.85.213.45] ([209.85.213.45:36604] helo=mail-vk0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 44/32-51000-C7F85E75 for ; Fri, 23 Sep 2016 16:24:29 -0400 Received: by mail-vk0-f45.google.com with SMTP id d8so1332263vka.3 for ; Fri, 23 Sep 2016 13:24:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+l4DtVH3zvZqIYT7vki9Hw7sg55MnH+ux9O8qECVB70=; b=Qflo+eljGrN/rjaFEs9hXDGNH/cg0cVyEfAWxRcyiqKr9bDqQplgo73j1Ye/cYJJT0 XjDyf4hYzSvqDf2uJI3OGSAH7zWekpqiVSNWT0xuR2AcpsHWCPUgiL9KC8KCnw9HhFIR DZVd0Z8wZbumY9IJbpeZQdRq6IxihLrFLotbSWxD59eTQ36KmJ/OwX8gqpApPFEoCHUs G13Thh/NkUGs/oYEvK9uP3MUMdC1inPtXyUPqH+q/Uul3B5ICXTTobM4kBgkeZ1pAykU 4AXP40Zch2aKVl+HlaAG/XPfmgIw/MFsbd6yFKlB+Q49FofrVi0nRw6zNjcb22nKsuqD gHEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=+l4DtVH3zvZqIYT7vki9Hw7sg55MnH+ux9O8qECVB70=; b=g938Nh+O5IAp8n6qZhloZ1DqMjccPuSb45YxoVpkcH2VCOnp3ASBwWd/R75XBtjGgZ Z705zvPYUur1mp1AvyDVCiyJAvbeG13S4RrpnY0QPR0OI5zsW5WmZfWaIgQIdG09wpM4 EHV1ISPkXLSZfuzEbkie2pSwXNs6xQ6mSqF7VzSkQ2l0xJNOXieKVgut+P77gCgyFn0k Xcw3fI0hOOEijn0DaEZcmtsBlPtULlzU2GQBZB5buNb2rfWdlCgyzboDbe3K2pmbkSos Ep5nCDxxoei6u6AU0G+dBlK0fPChlwFpewDQViN/p6+cpN6os9oFx8IfPgkKpPoJhMYH cCfg== X-Gm-Message-State: AA6/9Rl5Y0lhaLjp/On2iCQoUdK+FjNpaaCz6QTT6IHF7cBZxUPevodjSKIOXRSp1e9Rfn9i7uz9HLAdxM0BvA== X-Received: by 10.31.163.134 with SMTP id m128mr207904vke.70.1474662265354; Fri, 23 Sep 2016 13:24:25 -0700 (PDT) MIME-Version: 1.0 Sender: jakub.php@gmail.com Received: by 10.31.174.151 with HTTP; Fri, 23 Sep 2016 13:24:24 -0700 (PDT) In-Reply-To: <67e0478d-534a-1f8a-6b4c-a95573784001@gmail.com> References: <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> <67e0478d-534a-1f8a-6b4c-a95573784001@gmail.com> Date: Fri, 23 Sep 2016 21:24:24 +0100 X-Google-Sender-Auth: WG5kR31PhKt1t2CVRovSeN4BkTw Message-ID: To: Stanislav Malyshev Cc: Bob Weinand , PHP internals list Content-Type: multipart/alternative; boundary=001a1142d3c47d7fdb053d32906d Subject: Re: [PHP-DEV] HashDoS From: bukka@php.net (Jakub Zelenka) --001a1142d3c47d7fdb053d32906d Content-Type: text/plain; charset=UTF-8 Hi On Fri, Sep 23, 2016 at 8:47 PM, Stanislav Malyshev wrote: > Hi! > > > That's exactly what we don't want - let the attacker to end our request. > > Why not? What else you can do with this request that has clearly bad and > maliciously constructed data? > > I think there is a confusion about the "servers written in PHP". Those applications serves more requests in a single (main) PHP request using the even loop. Good examples of that are Aerys or ReactPHP. So we don't want to kill that main request if one of the handled requests is malicious (ideally we just ignore that malicious request and server others). > > All other things like string overflows and memory limits are under our > > control (e.g. we can set limit on the server and reject such requests) > > Not sure I understand what you mean. How exactly memory limits are under > your control? If somebody sends a request that blows up your memory > limit, how you control it? In fact, if somebody sends, say, a POST that > goes above your post limit - how you handle it without terminating the > request? Usually you will have it behind proxy so you can terminate it there if the request is too big. For example you could set client_max_body_size in nginx. However we can't effectively catch HashDos by the size because it can be relatively small request (see nice description of that in one of the previous emails from Nikita...). Cheers Jakub --001a1142d3c47d7fdb053d32906d--