In case the watchdog is not a viable solution as I had assumed it was, I think it's more reasonable to indeed consider adding a flag to Python that allows randomization of hashes optionally before startup.
A flag will only be needed if the overhead of the fix is too high.
However as it was said earlier, the attack is a lot more complex to carry out on a 64bit environment that it's probably (as it stands right now!) safe to ignore.
I suppose that there are still servers running 32 bits Python.
The main problem there however is not that it's a new attack but that some dickheads could now make prebaked attacks against websites to disrupt them that might cause some negative publicity. In general though there are so many more ways to DDOS a website than this that I would rate the whole issue very low.
There are countermeasures for low level DDOS (ICMP ping flood, TCP syn flood, etc.). An application (or a firewall) cannot implement a countermeasure for this high level issue. It can only be fixed in Python directly (by changing the implementation of the dict type or of the hash function).
Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com