[Python-Dev] Hash collision security issue (now public)

Victor Stinner victor.stinner at haypocalc.com
Sat Dec 31 03:39:45 CET 2011


> In case the watchdog is not a viable solution as I had assumed it was, I
> think it's more reasonable to indeed consider adding a flag to Python
> that allows randomization of hashes optionally before startup.

A flag will only be needed if the overhead of the fix is too high.

> However as it was said earlier, the attack is a lot more complex to
> carry out on a 64bit environment that it's probably (as it stands right
> now!) safe to ignore.

I suppose that there are still servers running 32 bits Python.

> The main problem there however is not that it's a new attack but that
> some dickheads could now make prebaked attacks against websites to
> disrupt them that might cause some negative publicity.  In general
> though there are so many more ways to DDOS a website than this that I
> would rate the whole issue very low.

There are countermeasures for low level DDOS (ICMP ping flood, TCP syn 
flood, etc.). An application (or a firewall) cannot implement a 
countermeasure for this high level issue. It can only be fixed in Python 
directly (by changing the implementation of the dict type or of the hash 
function).

Victor


More information about the Python-Dev mailing list