YouTube home Comedy Week on YouTube
Upload

28c3: Effective Denial of Service attacks against web application platforms

28c3 28c3·149 videos
4,686
28,071
Like     Dislike 5

Sign in to YouTube

Sign in with your Google Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to like 28c3's video.

Sign in to YouTube

Sign in with your Google Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to dislike 28c3's video.

Sign in to YouTube

Sign in with your Google Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to add 28c3's video to your playlist.

Uploaded on Dec 28, 2011

Download hiqh quality version: http://bit.ly/rKwW58
Description: http://events.ccc.de/congress/2011/Fa...

Alexander 'alech' Klink, Julian | zeri: Effective Denial of Service attacks against web application platforms
We are the 99% (CPU usage)

This talk will show how a common flaw in the implementation of most of the popular web
programming languages and platforms (including PHP, ASP.NET, Java, etc.) can
be (ab)used to force web application servers to use 99% of CPU for several
minutes to hours for a single HTTP request.

This attack is mostly independent of the underlying web application and just
relies on a common fact of how web application servers typically work.

The interactive transcript could not be loaded.
Ratings have been disabled for this video.
Rating is available when the video has been rented.
This feature is not available right now. Please try again later.

All Comments (14)

Sign in now to post a comment!
  • j00mi

    j00mi 1 year ago

    You are right. Thats a well known alternative. But i think you must use a balanced tree to gain optimal performance. It's more complicated to do insertion and deletion. But the lookup, like you said, is O(n*log(n)). I would prefer a b-tree if I have a very large immutable set of data and the only thing i do are lookups.

    ·

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate j00mi's comment.

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate j00mi's comment.
    in reply to Per Persson (Show the comment)
  • Per Persson

    Per Persson 1 year ago

    A hash table is normally implemented as an array of lists. Then in worst case, insertion takes O(n^2). What if you instead used a balanced binary search tree? Wouldn't that be better and in worst case take O(n log n)? And as long as the elements in the hash table are well spread out, it shouldn't be slower than a list.

    ·

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate Per Persson's comment.

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate Per Persson's comment.
  • j00mi

    j00mi 1 year ago

    if bucket lookup and str cmp is part of the algorithm then O(n^2) is correct

    ·

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate j00mi's comment.

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate j00mi's comment.
  • uenyioha

    uenyioha 1 year ago

    i think they're trying to point out the the string comparisons in addition to the linked list traversals. but agree that O(n^2) is the wrong measure if that's the case.

    ·

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate uenyioha's comment.

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate uenyioha's comment.
    in reply to nzer19 (Show the comment)
  • echtwahr

    echtwahr 1 year ago

    lets not engage in semantic hairspliting shall we?

    ·

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate echtwahr's comment.

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate echtwahr's comment.
    in reply to Koniiiik (Show the comment)
  • Koniiiik

    Koniiiik 1 year ago

    Actually, I'm pretty sure they mentioned the n² run time is for n insertions. And yes, this is not only O(n²) but Θ(n²).

    ·

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate Koniiiik's comment.

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate Koniiiik's comment.
    in reply to nzer19 (Show the comment)
  • Spo0Bo

    Spo0Bo 1 year ago

    If you are using a language that does not randomize the hashing you could also place a random prefix in front of each hash key through using a subclass of hash. No? Didn't see the entire talk because honestly ... get to the point guys :|

    ·

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate Spo0Bo's comment.

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate Spo0Bo's comment.
  • nzer19

    nzer19 1 year ago

    Erm worse case for collisions in a hashtable..the hashtable acts as a linked list or array (depending on implementation). Certainly would not result in O(n^2) operations.

    ·

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate nzer19's comment.

    Sign in to YouTube

    Sign in with your YouTube Account (YouTube, Google+, Gmail, Orkut, Picasa, or Chrome) to rate nzer19's comment.
  • Loading comment...
Loading...
Loading...
Working...
Sign in to add this to Watch Later