[Python-Dev] Make str/bytes hash algorithm pluggable?
martin at v.loewis.de
martin at v.loewis.de
Fri Oct 4 17:13:32 CEST 2013
Quoting Victor Stinner <victor.stinner at gmail.com>:
> I still fail to understand the real impact of a hash DoS compared to
> other kinds of DoS.
I think the key question is: how many attacking nodes do you need to
control to effectively make some system deny service. A threat is bigger
if you can do it in 10 requests/s from a single host, instead of needing
10,000 hosts, each making 1000 request/s.
With the hash DoS, the threat is that if you manage to fill some dictionary
with colliding keys, then each lookup will take a very long time, and you
might arrange to put many lookups into a single HTTP request. So a single
HTTP request might get very costly CPU-wise.
Whether this is a serious threat or not depends on what other threats
the system being attacked is vulnerable to. Maybe there is something even
simpler, or maybe the hash attack is the only hope of bringing the system
to its knees.
IMO, the hash attack is particularly tricky since it is very easy to
argue and very difficult to demonstrate. So it can result in fear
and uncertainty very easily, causing people to overreact just so that
they won't be accused of inactivity.
Regards,
Martin
More information about the Python-Dev
mailing list