[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: [ANN] Lua 5.2.1 (work1) now available
- From: David Kolf <kolf@...>
- Date: Thu, 22 Mar 2012 18:01:32 +0100
Roberto Ierusalimschy wrote:
> Moreover, a small overhead may be acceptable as a price for solving
> the "hash complexity attack" (that people will worry about despite all
> contrary evidence).
I thought I had read all the posts in the original thread about this
issue, but I don't remember any contrary evidence. Did I miss something?
As far as I remember the only tested real-world attack was against a
CGI-installation where the impact wasn't too bad as only a few threads
were blocked and the webserver could afford to open more threads. But a
server application that has to serve multiple clients using a single
thread can be quite vulnerable.
I do believe however, that most Lua applications are clientside or
offline and not threatened by the DoS attack. So I guess the solution
could be optional at compile-time and only those who want to run a
public server need to switch it on.
Best regards,
David Kolf