[Moscow.pm] [nodejs] Re: HOLY CRAP. nearly all nodejs http servers are vulnerable to DoS and apparently, the V8 guys seem to not care much

Alexandr Gomoliako zzz на zzz.org.ua
Пт Дек 30 13:57:50 PST 2011

> On Dec 28, 4:47 pm, Jann Horn <jannh... at googlemail.com> wrote:

>> Basically, because v8 uses weak hashes for objects, you can fill up
>> one slot of the hashtable with many entries, e.g. using a POST
>> containing a querystring with many keys with the same hash. Operating
>> on those keys (inserting and reading) then becomes slow as hell which
>> allows you to bring a nodejs server to 100% CPU usage for a long time
>> (blocking the event loop completely) with one moderately large POST
>> request. This is bad.

>> Those guys say they told Google October 18th, they got through to the
>> v8 guys in November, and they said they don't care sooo much about DoS
>> attacks on v8 because they're mainly interested in browserside stuff.

Гугл не захотел фиксить хэши в v8, им все равно, как он в ноде
работает. Очередная причина избегать джаваскрипт за пределами
браузера :)

Подробная информация о списке рассылки Moscow-pm