On Tuesday 17 June 2003 09:01, Oliver Bleutgen wrote: > I don't quite understand the nature of this DOS attack after the patch. > You do requests with REQUEST['Zope-Versiom'] == <big string>. > If I understand your code correctly (it was bash and perl afterall ;)) > you create version i with a version name str(i)*500000. > It seems (to me) that the sole cause for this DOS is that zope stores > the version names in memory, that means you get a memory consumption for > all version name strings of 10*500000 + 90*500000*2 which is 95.000.000 > bytes, which is roughly the 90M you reported.
The connection cache will also store a cached connection for each version. The connection is opened to *read* from the storage; no writes are needed. A more 'efficient' attack would be to use a tiny (but unique) Zope-Version string to request a page that loads alot of zodb objects into the connection cache, for example as a seach page. -- Toby Dickenson http://www.geminidataloggers.com/people/tdickenson _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
