On Wed, Mar 20, 2013 at 11:00 AM, Bardur Arantsson <spam@scientician.net> wrote:
AFAICT, the hash function needn't be cryptographically secure (thoughthat obviously avoids the issue altogether) -- if there is some
determined-at-startup "salt" that's added in to all hashed values then
that should provide good enough protection. Obviously this will mean
that the hashes won't be repeatable across runs of the same program, but
that's usually acceptable for a hash function which isn't used for
content identification(*).
(*) For which you should use a cryptographically secure hash anyway.
> SipHash is one way to address these kinds of attacks. There are other meansTimeouts aren't necessarily sufficient -- the application can keep
> as well. For example, many general DoS protection mechanisms (timeouts, IP
> banning, etc) also work on these kind of attacks.
>
sending data (e.g. form parameter data) and can cause 100% cpu usage for
a loooooonng time. After that it can just start over.
IP banning can only happen after the problem occurs.