lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

HyperHacker wrote:
> On that note, I'm curious if creating hash collisions is feasible in a
> real server. Most servers will reject requests that contain too many
> headers, or that are too long. How many collisions can an attacker
> really create if the number and length of headers is very limited?

In the video they used POST-requests and they are often limited to a few
megabytes (2 or 8 MB). In some implementations that would be enough to
keep a modern CPU busy for 11 hours. But the more serious limit for the
attack wasn't the input limit but the timeout after which the process
for a request got killed.

If a request was allowed to run one minute they needed only 500,000
bytes to keep the server busy for that minute. (I guess that was for
PHP). They had more numbers depending on the language implementation and
on the CPU they used for those tests, some were quite bad.

(I might have mistaken a few numbers. If in doubt look at the video).