On Wed, Sep 21, 2016 at 4:49 PM, Glenn Eggleton <geggl...@gmail.com> wrote:

> This might be a bit off topic....
> Given that you can set POST_REQUEST_SIZE in a production PHP application,
> how likely is it really that an app will encounter a HashDos attack?
> From what I gather this will require MBs to GBs of data in order to cause
> a DoS.
> From the web side, I think there are enough tools to prevent HashDos from
> happening...
> Would the issue then affect only CLI users?
> Sorry, if this seems like a derail, I am pretty new to the internals list.
> Cheers, Glenn

Again quoting previous thread:

> This DOS vulnerability is efficient: A 700kb payload can easily take 5
CPU seconds to process on PHP 7 and from there it goes up quadratically
(i.e. 1.4MB payload takes 20 seconds etc)

I don't remember exactly under what circumstances these numbers are
correct. I think the sizes refer to JSON payloads and the system is a
recent gen i5. So for the default post_max_size of 8M = approx 11*700kb we
get an expected execution time of 5*(11)^2 seconds, which is about 10
minutes. Of course, the execution time limit will trigger before that :)

So unless your post data size limit is very small or you perform additional
size validation on JSON data (and other data) you receive, this attack is
quite practical and not just a theoretical concern :)


Reply via email to