Hi On Fri, Sep 23, 2016 at 8:47 PM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> Hi! > > > That's exactly what we don't want - let the attacker to end our request. > > Why not? What else you can do with this request that has clearly bad and > maliciously constructed data? > > I think there is a confusion about the "servers written in PHP". Those applications serves more requests in a single (main) PHP request using the even loop. Good examples of that are Aerys or ReactPHP. So we don't want to kill that main request if one of the handled requests is malicious (ideally we just ignore that malicious request and server others). > > All other things like string overflows and memory limits are under our > > control (e.g. we can set limit on the server and reject such requests) > > Not sure I understand what you mean. How exactly memory limits are under > your control? If somebody sends a request that blows up your memory > limit, how you control it? In fact, if somebody sends, say, a POST that > goes above your post limit - how you handle it without terminating the > request? Usually you will have it behind proxy so you can terminate it there if the request is too big. For example you could set client_max_body_size in nginx. However we can't effectively catch HashDos by the size because it can be relatively small request (see nice description of that in one of the previous emails from Nikita...). Cheers Jakub
