Thursday, January 05, 2012

HOLY CRAP. nearly all nodejs http servers are vulnerable to DoS and apparently, the V8 guys seem to not care much

Technical explaination 0m-19m or so, part about nodejs at 40m or so.

Basically, because v8 uses weak hashes for objects, you can fill up one slot of the hashtable with many entries, e.g. using a POST containing a querystring with many keys with the same hash. Operating on those keys (inserting and reading) then becomes slow as hell which allows you to bring a nodejs server to 100% CPU usage for a long time (blocking the event loop completely) with one moderately large POST request. This is bad.

Those guys say they told Google October 18th, they got through to the v8 guys in November, and they said they don't care sooo much about DoS attacks on v8 because they're mainly interested in browserside stuff.

This is bad for us.

Read more: Google Groups
QR: d34ed2ec3526db5a?pli=1

Posted via email from Jasper-Net