Am 05.10.13 01:27, schrieb Victor Stinner: > Ok, but why should we invest time to fix this specific DoS wheras > there are other DoS like XML bomb?
That is a question about the very mechanics of free software. "We" don't need to invest time into anything (and you may have noticed that I lately actually don't :-) If you think this is a waste of time, just sit back and watch it evolve - it's Christian's time that may get wasted (and the time of anybody who choses to respond). He is writing a PEP, and the same question can be asked about any feature that goes into Python: Why this feature, and not a different one? FWIW, I personally think that a lot of effort was wasted in micro-optimizing the Unicode implementation :-) If you actually think that changing this aspect of Python is a bad idea, then you do need to get involved actively opposing the PEP. I personally think that this "pluggable hash function" stuff is a bad idea. Changing the hash function is ok as long as it doesn't get dramatically slower. > Why not setting a limit on the CPU > time in your favorite web framework instead? Because that is not implementable, in general, and might harm the service. If you disagree about the non-implementability, please propose a specific technology to limit the CPU consumption *per HTTP request*. It might harm the service because /some/ requests might be eligible to high CPU cost. So put in your sandbox technology a mechanism to white-list specific URLs, or to have the CPU limit depend on the URL that is being requested. > Popular DDoS attack are usually the simplest, like flooding the server > with ping requests, flooding the DNS server, flooding with HTTP > requests which take a lot of time ot process, etc. Using a botnet, you > don't care of using an inefficient DoS attack, because your power is > the number of zombi. > > I have no idea of the price of renting a botnet, it's probably > expensive (and illegal as well). Talking about actual attackers, I think the concern here are script kiddies: people who don't want to invest a lot of money into some illegal activity, but who just learned that they can kill service XYZ if they run this-or-that script - and want to try out whether this actually works. I believe that profesional criminals aren't too interested in DDoS; they buy the botnets to distribute spam. Regards, Martin _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
