A security advisory was released yesterday detailing a denial-of-service vulnerability that most of the web could be affected by.
The vulnerability lies in the hashing algorithms used by a variety of programming languages (including Python, Ruby, PHP and Java). When collisions happens these algorithms will take up large amounts of CPU cycles to deal with them (From what I understand).
To give you an idea of the extent of this problem I’ll quote the PDF linked in the advisory, take for example PHP:
On an i7 core, the 60 seconds take a string of multi-collisions of about 500k. 30 seconds of CPU time can be generated using a string of about 300k. This means that an attacker needs about 70-100kbit/s to keep one i7 core constantly busy. An attacker with a Gigabit connection can keep about 10.000 i7 cores busy.
Or Ruby:
A typical POST size limit in Ruby frameworks is 2 MB, which takes about 6 hours of i7 CPU time to parse. Thus, an attacker with a single 850 bits/s line can keep one i7 core busy. The other way around, an attacker with a Gigabit connection can keep about 1.000.000 (one million!) i7 cores busy.
This allows someone to take down almost any webserver with (very) limited resources. Possible workarounds are: limiting CPU time, limiting the POST size, or limiting the maximum amount of POST variables.
I’m currently waiting for the first PoCs and exploits to be published and will post an update when I get my hands on one (Which will also confirm if I understand the exploit correctly).
Update: I can see how this will ruin your day
Update 2: Go here for an easy to understand explanation.
