Google Groups

Re: HOLY CRAP. nearly all nodejs http servers are vulnerable to DoS and apparently, the V8 guys seem to not care much


MK2 Jan 1, 2012 9:19 AM
Posted in group: nodejs
Out team member had created the attack querystring.
And I test them in my macbook, there is the test results.

http://fengmk2.github.com/mk2blog/blog/2011/hac-in-nodejs-results.html


On Dec 29 2011, 8:47 am, Jann Horn <jannh...@googlemail.com> wrote:
> http://www.youtube.com/watch?v=R2Cq3CLI6H8
>
> Technical explaination 0m-19m or so, part about nodejs at 40m or so.
>
> Basically, because v8 uses weak hashes for objects, you can fill up
> one slot of the hashtable with many entries, e.g. using a POST
> containing a querystring with many keys with the same hash. Operating
> on those keys (inserting and reading) then becomes slow as hell which
> allows you to bring a nodejs server to 100% CPU usage for a long time
> (blocking the event loop completely) with one moderately large POST
> request. This is bad.
>
> Those guys say they told Google October 18th, they got through to the
> v8 guys in November, and they said they don't care sooo much about DoS
> attacks on v8 because they're mainly interested in browserside stuff.
>
> This is bad for us.