Front page | perl.perl5.porters |
Postings from December 2011
Am 29.12.2011 um 16:25 schrieb Greg Lindahl: > The researchers concluded that the best way of avoiding the problem is > to use randomised hash functions such as those used in Perl, which > were included after a security conference paper on the technique was > published in 2003PDF. CRuby 1.9 has used a similar randomisation > technique since 2008. > > http://www.h-online.com/open/news/item/28C3-Denial-of-Service-attacks-on-web-applications-made-easy-1401863.html The nodejs folks are trying to force V8 to use randomized hashes right now, because it can be easily exploited. So far Google declined to change that. perl was also an argument there. Should the fix be in the language or in the framework is the question. https://groups.google.com/forum/#!topic/nodejs/007S7DUm21o http://www.youtube.com/watch?v=R2Cq3CLI6H8 Technical explaination 0m-19m or so, part about nodejs at 40m or so. Basically, because v8 uses weak hashes for objects, you can fill up one slot of the hashtable with many entries, e.g. using a POST containing a querystring with many keys with the same hash. Operating on those keys (inserting and reading) then becomes slow as hell which allows you to bring a nodejs server to 100% CPU usage for a long time (blocking the event loop completely) with one moderately large POST request. This is bad. Those guys say they told Google October 18th, they got through to the v8 guys in November, and they said they don't care sooo much about DoS attacks on v8 because they're mainly interested in browserside stuff. This is bad for us.Thread Previous | Thread Next