[Python-Dev] Make str/bytes hash algorithm pluggable?

[Victor Stinner]

2013/10/4  <martin at v.loewis.de>:
>
> Quoting Victor Stinner <victor.stinner at gmail.com>:
>
>> I still fail to understand the real impact of a hash DoS compared to
>> other kinds of DoS.
>
>
> I think the key question is: how many attacking nodes do you need to
> control to effectively make some system deny service. A threat is bigger
> if you can do it in 10 requests/s from a single host, instead of needing
> 10,000 hosts, each making 1000 request/s.

Correct. I know that they are some other "cheap" attacks directly at
the network layer. For example, the "spamhaus/CloudFlare" attack which
made a lot of noise ("300 Gbit/sec") used a DNS "trick":

"The traffic is being generated primarily from DNS amplification
attacks. Small requests are sent to DNS servers, generating responses
from those servers that are about 50-100 times larger."
http://arstechnica.com/security/2013/03/spamhaus-ddos-grows-to-internet-threatening-size/

In this case, you still need many computers to DoS a server (=> DDoS).

> With the hash DoS, the threat is that if you manage to fill some dictionary
> with colliding keys, then each lookup will take a very long time, and you
> might arrange to put many lookups into a single HTTP request. So a single
> HTTP request might get very costly CPU-wise.

Ok, but why should we invest time to fix this specific DoS wheras
there are other DoS like XML bomb? Why not setting a limit on the CPU
time in your favorite web framework instead? I don't know the
complexity of adding sandbox-like features to a web framework. (It's
probably complex because we are discussing how to fix the issue
directly in Python :-))

> Whether this is a serious threat or not depends on what other threats
> the system being attacked is vulnerable to. Maybe there is something even
> simpler, or maybe the hash attack is the only hope of bringing the system
> to its knees.

Popular DDoS attack are usually the simplest, like flooding the server
with ping requests, flooding the DNS server, flooding with HTTP
requests which take a lot of time ot process, etc. Using a botnet, you
don't care of using an inefficient DoS attack, because your power is
the number of zombi.

I have no idea of the price of renting a botnet, it's probably
expensive (and illegal as well).

> IMO, the hash attack is particularly tricky since it is very easy to
> argue and very difficult to demonstrate. So it can result in fear
> and uncertainty very easily, causing people to overreact just so that
> they won't be accused of inactivity.

It would be easy to evaluate the risk with a public exploit on a real
world application :-)

Victor