Re: Hash Table Collisions (n.runs-SA-2011.004)

[William Ahern <william@...>]

On Sat, Jan 07, 2012 at 02:32:52PM +0100, Petite Abeille wrote:
<snip>
> In other news:
> 
> Are you ready for slow reading?
> https://community.qualys.com/blogs/securitylabs/2012/01/05/slow-read
> 
> How to Protect Against Slow HTTP Attacks
> https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks
> 
> The fun never ends :))

I don't see it. If you're using an O(1) polling interface like kqueue(2) or
epoll(2), then what's the problem? This would be no different than a
brute force DoS anyhow in such a case. Actually, it would be less stressful;
all you've consumed is a couple hundred bytes of Lua state plus a socket
instance.

The hash attack is fundamentally different from typical DoS attacks because
it allows you to leverage a resource multiplier _on the server side_. That
exponential multiplier is zero cost from the attacker's perspective.

Remember, the attacker has costs too. Throwing up your arms and saying that
there's nothing you can do to stop a DoS attack just isn't true. The
attacker will expend resources commensurate with his gain, whether that be
prestige, monetary, etc. The hash attack dramatically minimizes his costs,
which makes you more vulnerable.