[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Real-World Impact of Hash DoS in Lua
- From: Jay Carlson <nop@...>
- Date: Fri, 20 Jan 2012 11:23:54 +0000
On Thu, Jan 19, 2012 at 6:15 PM, John Graham-Cumming <jgc@jgc.org> wrote:
> On Thu, Jan 19, 2012 at 18:02, Roberto Ierusalimschy
> <roberto@inf.puc-rio.br> wrote:
>> [hash collision resistance]
> OK. Cool. This is a showstopper for the company I am working with for
> rolling out embedded Lua with nginx.
I think showstopper might be a bit strong, given all the other DoS
attacks you are probably not defending against. Keeping other O(n^2)
small by keeping n small is a good idea. Setting a reasonably short
alarm()/itimer watchdog to mark bedtime for any particular request is
good too. (I liked the idea of turning all opcodes into RETURNs.)
Depending on the kind of time being measured, this can also help
against other kinds of resource exhaustion such as running out of
memory, IOPS, or entropy.
The reason the web works is that "500 I'm Having A Bad Day" is not the
end of the world. And if somebody is DoSing the server, the server is
being honest.
Lua should make it hard to get a generalizable technique for a big
amplification of work. (This is why I still think seeded
content-dependent sampling might help if we're limited to touching the
hash function--and you can always turn the existing big string
threshold up to MAXINT.) But I worry you're planning in terms of
prevention rather than cost.
Jay
