On Dec 29 2011, 8:47 am, Jann Horn <jannh...@googlemail.com> wrote:
> http://www.youtube.com/watch?v=R2Cq3CLI6H8 >
> Technical explaination 0m-19m or so, part about nodejs at 40m or so.
> Basically, because v8 uses weak hashes for objects, you can fill up
> one slot of the hashtable with many entries, e.g. using a POST
> containing a querystring with many keys with the same hash. Operating
> on those keys (inserting and reading) then becomes slow as hell which
> allows you to bring a nodejs server to 100% CPU usage for a long time
> (blocking the event loop completely) with one moderately large POST
> request. This is bad.
> Those guys say they told Google October 18th, they got through to the
> v8 guys in November, and they said they don't care sooo much about DoS
> attacks on v8 because they're mainly interested in browserside stuff.
> This is bad for us.