[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: [ANN] Lua 5.2.1 (work1) now available
- From: David Heiko Kolf <kolf@...>
- Date: Fri, 23 Mar 2012 07:45:15 +0100
Miles Bader wrote:
> Roberto Ierusalimschy <roberto@inf.puc-rio.br> writes:
>> Probably yes. Mike Pall sent a very good message about that. The point
>> is not only whether a "hash complexity attack" is doable, but that
>> there are so many other ways to do a DoD attack that this one is not
>> relevant. (E.g. it is very cheap to just rent botnets.)
>
> IIRC, the original attack seemed to require a huge volume of
> transactions to achieve its effect, with the result that (1) your web
> server/infrastructure may already be hosed by such an attack,
> regardless of your hashing scheme, and (2) it's easy to defend against
> the hash attack simply by having reasonable limits at the application
> level.
David Favro published some tests:
<http://lua-users.org/lists/lua-l/2012-01/msg00148.html>
For 2 MB he could keep a process busy for 359 seconds. Nowadays that
probably isn't much traffic and the average internet connection could do
that. Renting a botnet...well, it might be cheap, but I still think the
barrier for that is a lot higher than for just sending 2 MB.
Depending on what you want to do, defending at the application level can
be quite hard. If you need to parse a huge JSON dataset or several small
messages that don't get garbage collected before a critical mass is
reached, there is not much you can do.
> If those things are true, then a solution at the language level seems
> wrong if it results in _any_ penalty for normal applications -- and
> this is especially true for Lua, where the vast majority of
> applications have nothing to do with the web or "untrusted data".
I agree, for server applications a patch or a compile-time option could
be used to create a robust Lua interpreter.
-- David
