On 22 September 2016 00:23:16 BST, Stanislav Malyshev <smalys...@gmail.com> wrote: >In which case some limit like 1000 (just random number but can be >tested) would probably be OK. The question now is would it be enough to >block DoS? I.e. if we construct data to cause 999 collisions each time >to stay just under the limit, can we still cause trouble or not? It's >still almost 1000 times slower it's supposed to be...
I think I'm right in saying that the power of the attack comes in the fact that the total time doesn't scale linearly but exponentially. Inserting a third element into a chain of two is faster than inserting a tenth element into a chain of nine. So a hash that hits the limit is more than 1000 times slower than a natural one, but 1000 chains of 999 is orders of magnitude faster than one chain of 999000. That doesn't exactly answer the question of whether 1000 is the right value, of course. Regards, -- Rowan Collins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
