[Python-Dev] Make str/bytes hash algorithm pluggable?

"Martin v. Löwis" martin at v.loewis.de
Sat Oct 5 14:01:16 CEST 2013 

Am 05.10.13 01:27, schrieb Victor Stinner:
> Ok, but why should we invest time to fix this specific DoS wheras
> there are other DoS like XML bomb?

That is a question about the very mechanics of free software.
"We" don't need to invest time into anything (and you may have
noticed that I lately actually don't :-) If you think this is
a waste of time, just sit back and watch it evolve - it's Christian's
time that may get wasted (and the time of anybody who choses to
respond). He is writing a PEP, and the same question can be asked
about any feature that goes into Python: Why this feature, and not
a different one? FWIW, I personally think that a lot of effort was
wasted in micro-optimizing the Unicode implementation :-)

If you actually think that changing this aspect of Python is a
bad idea, then you do need to get involved actively opposing
the PEP. I personally think that this "pluggable hash function"
stuff is a bad idea. Changing the hash function is ok as long
as it doesn't get dramatically slower.

> Why not setting a limit on the CPU
> time in your favorite web framework instead?

Because that is not implementable, in general, and might harm the
service. If you disagree about the non-implementability, please
propose a specific technology to limit the CPU consumption *per
HTTP request*. It might harm the service because /some/ requests
might be eligible to high CPU cost. So put in your sandbox technology
a mechanism to white-list specific URLs, or to have the CPU limit
depend on the URL that is being requested.

> Popular DDoS attack are usually the simplest, like flooding the server
> with ping requests, flooding the DNS server, flooding with HTTP
> requests which take a lot of time ot process, etc. Using a botnet, you
> don't care of using an inefficient DoS attack, because your power is
> the number of zombi.
> 
> I have no idea of the price of renting a botnet, it's probably
> expensive (and illegal as well).

Talking about actual attackers, I think the concern here are
script kiddies: people who don't want to invest a lot of money into
some illegal activity, but who just learned that they can kill
service XYZ if they run this-or-that script - and want to try out
whether this actually works. I believe that profesional criminals
aren't too interested in DDoS; they buy the botnets to distribute
spam.

Regards,
Martin

More information about the Python-Dev mailing list