> From: Mark Thomas > > While both POST-size-limiting and parameter-count-limiting are > > both reasonable mitigating procedures, would the use of a > > randomized-hash be something worth doing? > > I don't know. My instinct is that it wouldn't but I could be wrong.
Referring to https://cryptanalysis.eu/blog/2011/12/28/effective-dos-attacks-against-web-application-plattforms-hashdos/ - seems like it is at least worth considering. It leaves the hashing algorithm at O(1) in the normal case and makes it pretty difficult (depending on size of salt-space) to pick keys that will collide. > Before changing anything, we'd need to look hard at performance > figures and take any additional maintenance overhead into > consideration. > > Performance was the reason I didn't just switch to TreeMap. Makes sense. Worth noting that TreeMap makes all storage O(log n), so the normal case takes a hit in order to mitigate the worst case (i.e. malicious case).