[Python-Dev] Make str/bytes hash algorithm pluggable? (original) (raw)

"Martin v. Löwis" martin at v.loewis.de
Sat Oct 5 14:01:16 CEST 2013

Am 05.10.13 01:27, schrieb Victor Stinner:

Ok, but why should we invest time to fix this specific DoS wheras there are other DoS like XML bomb?

That is a question about the very mechanics of free software. "We" don't need to invest time into anything (and you may have noticed that I lately actually don't :-) If you think this is a waste of time, just sit back and watch it evolve - it's Christian's time that may get wasted (and the time of anybody who choses to respond). He is writing a PEP, and the same question can be asked about any feature that goes into Python: Why this feature, and not a different one? FWIW, I personally think that a lot of effort was wasted in micro-optimizing the Unicode implementation :-)

If you actually think that changing this aspect of Python is a bad idea, then you do need to get involved actively opposing the PEP. I personally think that this "pluggable hash function" stuff is a bad idea. Changing the hash function is ok as long as it doesn't get dramatically slower.

Why not setting a limit on the CPU time in your favorite web framework instead?

Because that is not implementable, in general, and might harm the service. If you disagree about the non-implementability, please propose a specific technology to limit the CPU consumption per HTTP request. It might harm the service because /some/ requests might be eligible to high CPU cost. So put in your sandbox technology a mechanism to white-list specific URLs, or to have the CPU limit depend on the URL that is being requested.

Popular DDoS attack are usually the simplest, like flooding the server with ping requests, flooding the DNS server, flooding with HTTP requests which take a lot of time ot process, etc. Using a botnet, you don't care of using an inefficient DoS attack, because your power is the number of zombi.

I have no idea of the price of renting a botnet, it's probably expensive (and illegal as well).

Talking about actual attackers, I think the concern here are script kiddies: people who don't want to invest a lot of money into some illegal activity, but who just learned that they can kill service XYZ if they run this-or-that script - and want to try out whether this actually works. I believe that profesional criminals aren't too interested in DDoS; they buy the botnets to distribute spam.

Regards, Martin

More information about the Python-Dev mailing list