On Nov 28, 2012, at 12:46 AM, Matthew Serrano wrote:

> I ran into a limit on the number of parameters submitted by a form and found 
> this:
> http://www.caucho.com/resin-4.0/changes/resin-4.0.25.xtp#POSTparameterlimitDOSProtection
> I changed my QA server to accept up to 20,000 as a work around to my specific 
> problem (turns out I am submitting around 15k parameters). What is the risk 
> of setting this max at 20k or higher? Is it simply resource utilization or is 
> there some other risk that I should be careful to avoid? Processing my form 
> after the change was as fast as any other form in my app.

Hi Matt,

This change was in response to the "hashdos" attack that was widely publicized 
late last year.

In simplest terms, form parameters are stored in a hashtable, and hashing 
becomes CPU intensive with increasing numbers of keys and collisions.  This 
leads to a DOS attack if the number of parameters is not limited.

Google for "hashdos" or see: 

> FYI, not sure I really like the idea of submitting 20k parameters but I don't 
> think I can split this particular form into smaller sets easily…or at least 
> not quickly.

I believe we felt even 10k was unrealistically high and anyone coming close to 
that probably needed to reevaluate their form submission, but "suum cuique".


> thanks
> matt
> _______________________________________________
> resin-interest mailing list
> resin-interest@caucho.com
> http://maillist.caucho.com/mailman/listinfo/resin-interest

Paul Cowan, Software Engineer
Caucho Technology

resin-interest mailing list

Reply via email to