> 3. Fully hash short strings. For strings less than 128 bytes all bytes need
> to be used. This will protect against the DoS attack when combined with (1)
> above.
How about randomizing which bytes that are skipped? That would be less
intrusive but would it be good enough?
That doesn't work because as the string gets long an attacker can flip a couple of characters and get a new string with a hash crash with high probability. Even though they don't know which characters are not used they can get hash collisions just be doing a small number of random flips.
You can decide the probability with which you want someone to be able to get a hash crash by the percentage of the string that you use for the hash.
John.