Author pitrou
Recipients Arach, Arfrever, Huzaifa.Sidhpurwala, Mark.Shannon, PaulMcMillan, Zhiping.Deng, alex, barry, benjamin.peterson, christian.heimes, dmalcolm, georg.brandl, gvanrossum, gz, haypo, jcea, lemburg, merwok, pitrou, skrah, terry.reedy, tim.peters, v+python, zbysz
Date 2012-01-11.17:28:00
SpamBayes Score 4.89989e-07
Marked as misclassified No
Message-id <1326302790.3531.16.camel@localhost.localdomain>
In-reply-to <4F0DB2C1.6010308@egenix.com>
Content
> On my slow dev machine 1000 collisions run in around 22ms:
> 
> python2.7 -m timeit -n 100 "dict((x*(2**64 - 1), 1) for x in xrange(1, 1000))"
> 100 loops, best of 3: 22.4 msec per loop
> 
> Using this for a DOS attack would be rather noisy, much unlike
> sending a single POST.

Note that sending one POST is not enough, unless the attacker is content
with blocking *one* worker process for a couple of seconds or minutes
(which is a rather tiny attack if you ask me :-)). Also, you can combine
many dicts in a single JSON list, so that the 1000 limit isn't
overreached for any of the dicts.

So in all cases the attacker would have to send many of these POST
requests in order to overwhelm the target machine. That's how DOS
attacks work AFAIK.

> Yes, which is why the patch should be disabled by default (using
> an env var) in dot-releases. It's probably also a good idea to
> make the limit configurable to adjust to ones needs.

Agreed if it's disabled by default then it's not a problem, but then
Python is vulnerable by default...
History
Date User Action Args
2012-01-11 17:28:01pitrousetrecipients: + pitrou, lemburg, gvanrossum, tim.peters, barry, georg.brandl, terry.reedy, jcea, haypo, christian.heimes, benjamin.peterson, merwok, Arfrever, v+python, alex, zbysz, skrah, dmalcolm, gz, Arach, Mark.Shannon, Zhiping.Deng, Huzaifa.Sidhpurwala, PaulMcMillan
2012-01-11 17:28:00pitroulinkissue13703 messages
2012-01-11 17:28:00pitroucreate