2013/10/4 <mar...@v.loewis.de>:
>
> Quoting Victor Stinner <victor.stin...@gmail.com>:
>
>> I still fail to understand the real impact of a hash DoS compared to
>> other kinds of DoS.
>
>
> I think the key question is: how many attacking nodes do you need to
> control to effectively make some system deny service. A threat is bigger
> if you can do it in 10 requests/s from a single host, instead of needing
> 10,000 hosts, each making 1000 request/s.
Correct. I know that they are some other "cheap" attacks directly at
the network layer. For example, the "spamhaus/CloudFlare" attack which
made a lot of noise ("300 Gbit/sec") used a DNS "trick":
"The traffic is being generated primarily from DNS amplification
attacks. Small requests are sent to DNS servers, generating responses
from those servers that are about 50-100 times larger."
http://arstechnica.com/security/2013/03/spamhaus-ddos-grows-to-internet-threatening-size/
In this case, you still need many computers to DoS a server (=> DDoS).
> With the hash DoS, the threat is that if you manage to fill some dictionary
> with colliding keys, then each lookup will take a very long time, and you
> might arrange to put many lookups into a single HTTP request. So a single
> HTTP request might get very costly CPU-wise.
Ok, but why should we invest time to fix this specific DoS wheras
there are other DoS like XML bomb? Why not setting a limit on the CPU
time in your favorite web framework instead? I don't know the
complexity of adding sandbox-like features to a web framework. (It's
probably complex because we are discussing how to fix the issue
directly in Python :-))
> Whether this is a serious threat or not depends on what other threats
> the system being attacked is vulnerable to. Maybe there is something even
> simpler, or maybe the hash attack is the only hope of bringing the system
> to its knees.
Popular DDoS attack are usually the simplest, like flooding the server
with ping requests, flooding the DNS server, flooding with HTTP
requests which take a lot of time ot process, etc. Using a botnet, you
don't care of using an inefficient DoS attack, because your power is
the number of zombi.
I have no idea of the price of renting a botnet, it's probably
expensive (and illegal as well).
> IMO, the hash attack is particularly tricky since it is very easy to
> argue and very difficult to demonstrate. So it can result in fear
> and uncertainty very easily, causing people to overreact just so that
> they won't be accused of inactivity.
It would be easy to evaluate the risk with a public exploit on a real
world application :-)
Victor
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
