Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96127 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 79917 invoked from network); 23 Sep 2016 22:21:49 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Sep 2016 22:21:49 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.66 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.218.66 mail-oi0-f66.google.com Received: from [209.85.218.66] ([209.85.218.66:36137] helo=mail-oi0-f66.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4E/B5-51000-BFAA5E75 for ; Fri, 23 Sep 2016 18:21:49 -0400 Received: by mail-oi0-f66.google.com with SMTP id i193so9690804oib.3 for ; Fri, 23 Sep 2016 15:21:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=PbnRQXxaarGC38IFPopVOn6tFGPrsIG2QxIox13QQHU=; b=S4p3ZaRbMst3nFu8hVt8vXkTYC0hRCh1dCW/glS1Pf1DOxSxf5wl3TYhIjwz2LdwyL oN0y/WK7uys6yShBKQdXtotE0GHZ60Bmt7PYoUFd9qEEbZY/LBx5Nnz24iJTfGBpYbSw aHKGUYGn9a0rCkd+OsaSLuHNLT+MPTdk6eFcotxqXtdYE3QtWth3PGBeYTSKXVJYCUIi N09JtQxHz+0EROhNUcm3dA6PxdTygDOyTFfH2n5OnBxP5zi3SM2v8uVgPAljBjDWu1KA tRoZHbX1y4hjWlA9TjyN+3TJaC3oV7E4rP6+VxZAaPccAdJLKzJS1wBzpIOqAuJQUhwe 9O6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=PbnRQXxaarGC38IFPopVOn6tFGPrsIG2QxIox13QQHU=; b=M428lHqcMiUhaRwtkFrYL7QARpSRPLGujz1+UTYoRlupvnF86bjKkPFf+y33H6RGQq MLOcEaEuL4t76nAGvEVcpAE8cMzQ3bQU6w1bsa1nbvqMv+X0uFVq6ex80YAVNqZ1/mIP b7BF4PcRUOCVwhTVVdoIemU6aVo1OMs9dswenHUg2PaedAqz4aVp3R04jNzhMtkhQVU9 RS0JpyirxaiV2es4kon6dOqs7WLQCHJ0AQL+w7Ok2ecdz0FMKO8ZVc7PSPkydpaXIoqx NsLxEtG+4Tp0lOUg8muxwlxoOZ6XK2wF66J8NLK52YI9tRUhz3enMaCjNVNYdllFFd9w mD1Q== X-Gm-Message-State: AE9vXwOWZq8rktOSQOXsbI5pZZMjtwMjJss0zD9XaZ9dnlPsQ6eOIKTtLyg2hXkJvS1UUA== X-Received: by 10.202.4.21 with SMTP id 21mr13719695oie.91.1474669304796; Fri, 23 Sep 2016 15:21:44 -0700 (PDT) Received: from [192.168.2.102] (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104]) by smtp.gmail.com with ESMTPSA id x26sm2805023otd.18.2016.09.23.15.21.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Sep 2016 15:21:44 -0700 (PDT) To: Jakub Zelenka References: <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> <67e0478d-534a-1f8a-6b4c-a95573784001@gmail.com> Cc: Bob Weinand , PHP internals list Message-ID: <7426fb32-2eb7-2c65-3cc2-140e16187bb1@gmail.com> Date: Fri, 23 Sep 2016 15:21:29 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] HashDoS From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > I think there is a confusion about the "servers written in PHP". Those > applications serves more requests in a single (main) PHP request using > the even loop. Good examples of that are Aerys or ReactPHP. So we don't > want to kill that main request if one of the handled requests is > malicious (ideally we just ignore that malicious request and server others). That can't work well. PHP makes a lot of assumptions in short-lived requests, and assuming the same request lives forever is bound to cause a lot of issues - from stale objects sitting around to unoptimal memory use to eventual overflows in all kinds of counters, etc. Why not use real servers for server work? You yourself say you'll have it behind nginx or so - so why not let nginx do the server part? We have several hundred places in PHP where fatal error (E_ERROR or E_CORE_ERROR) can be produced. Of course, some of them are compile-time but not all of them. E.g., various string overflow scenarios can be triggered by combining or processing strings (such as uncompressing or decoding various formats). If you server relies on proxy to filter out all fatal error scenarios, I'm afraid it's much harder than it seems. I of course do not propose to make nginx filter JSON data. On the contrary, I propose when we have clearly malicious DoS attempt (like string overflow or hash collision overflow) to fail fast instead of trying to make right and playing whack-a-mole. We have enough fails in this are already. -- Stas Malyshev smalyshev@gmail.com