lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Roberto Ierusalimschy <roberto@inf.puc-rio.br> writes:
>> > Moreover, a small overhead may be acceptable as a price for solving
>> > the "hash complexity attack" (that people will worry about despite all
>> > contrary evidence).
>> 
>> I thought I had read all the posts in the original thread about this
>> issue, but I don't remember any contrary evidence. Did I miss something?
>
> Probably yes. Mike Pall sent a very good message about that. The point
> is not only whether a "hash complexity attack" is doable, but that
> there are so many other ways to do a DoD attack that this one is not
> relevant. (E.g. it is very cheap to just rent botnets.)

IIRC, the original attack seemed to require a huge volume of
transactions to achieve its effect, with the result that (1) your web
server/infrastructure may already be hosed by such an attack,
regardless of your hashing scheme, and (2) it's easy to defend against
the hash attack simply by having reasonable limits at the application
level.

If those things are true, then a solution at the language level seems
wrong if it results in _any_ penalty for normal applications -- and
this is especially true for Lua, where the vast majority of
applications have nothing to do with the web or "untrusted data".

[OTOH, as you've pointed out, it's not clear that there is a penalty,
and there may be some benefit...  The issue of how to handle large
strings is interesting, and it's good to see it getting some
attention.

As I think I've mentioned previously, 'd like to be able to mmap a big
file and add it as some sort of string to Lua without copying the
contents at all.]

-miles

-- 
Politics, n. A strife of interests masquerading as a contest of
principles. The conduct of public affairs for private advantage.