lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Roberto Ierusalimschy wrote:
> Moreover, a small overhead may be acceptable as a price for solving
> the "hash complexity attack" (that people will worry about despite all
> contrary evidence).

I thought I had read all the posts in the original thread about this
issue, but I don't remember any contrary evidence. Did I miss something?

As far as I remember the only tested real-world attack was against a
CGI-installation where the impact wasn't too bad as only a few threads
were blocked and the webserver could afford to open more threads. But a
server application that has to serve multiple clients using a single
thread can be quite vulnerable.

I do believe however, that most Lua applications are clientside or
offline and not threatened by the DoS attack. So I guess the solution
could be optional at compile-time and only those who want to run a
public server need to switch it on.

Best regards,

David Kolf