On 9/22/16 3:46 AM, Rowan Collins wrote:
I think I'm right in saying that the power of the attack comes in the fact that
the total time doesn't scale linearly but exponentially.
quadratic is what i read in the previous thread, iirc. even so, it's
still a useful gain.
That doesn't exactly answer the question of whether 1000 is the right value, of
course.
it's the parameter for what's in effect a statistical hypothesis test
for randomness, built on the assumption that key patterns that are not
hostile are quasi-random and those that are not random are hostile. 1000
seems large if testing randomness, were that the only consideration.
but i guess there is a concern that, in some cases, legitimate use could
have key patterns with regularities that lead to accumulation in some bins.
so it should work, to a useful extent, if there is a parameter value
- low enough to give a worthwhile degree of dos attack protection
- high enough to false positive only for benign patterns that would in
any case cause terrible performance degradation
tom
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
