Reputation: 7397
asp.net hash table vulnerability
On the 28/12/2011 US-CERT released a bulletin about the majority of web servers being vulnerable to DOS attacks due to the way they handle hash table collisions. Article here
Could someone please explain where this hash table fits in to the ASP.NET lifecycle? Is it one hash table per session or one big hash table per server instance?
Thank you, Fidel
Upvotes: 2
Views: 612
Answers (2)
Reputation: 700322
The hash table in question is Request.Form.
The server parses the form data and places the key-value pairs into the Request.Form collection. If the form data contains keys that produce the same hash code, it produces hash collisions which reduces the performance of the hash table.
So, it's not one table per server or per session, but one table per POST request.
Upvotes: 2
Reputation: 9752
A hashtable will be used throughout the application its not just in once place. For example when you add post variables to a page they get processed internally in a hashtable, so if you had a massive amount of hashtable collisions (ie post variables with the same name on a page it'd happen here). Its a very efficient memory storage system for accessing a "array" using a collection of words (think of a dictionary).
This is one of these things, whilst it can be exploited, the better thing to do is use best practises and monitor CPU usage, limit maximum POST Size per page, and limit requests from a single host.
Upvotes: 0
Related Questions
- MVC - How to hash and salt
- ASPNET Identity 2.0 hashing algorithm
- ASP.NET MVC 4 Hash algorithm
- Hashing Passwords With ASP.NET MVC 3
- hashtable in asp.net
- ASP.NET || Is this a good way to hash passwords?
- SHA1 File Hash in Classic ASP or ASP.NET
- ASP Password hashing algorithm
- classic asp and hash tables, is there one?
- hash password in SQL Server (asp.net)