On Tuesday 17 June 2003 09:01, Oliver Bleutgen wrote:
I don't quite understand the nature of this DOS attack after the patch. You do requests with REQUEST['Zope-Versiom'] == <big string>. If I understand your code correctly (it was bash and perl afterall ;)) you create version i with a version name str(i)*500000. It seems (to me) that the sole cause for this DOS is that zope stores the version names in memory, that means you get a memory consumption for all version name strings of 10*500000 + 90*500000*2 which is 95.000.000 bytes, which is roughly the 90M you reported.
The connection cache will also store a cached connection for each version. The connection is opened to *read* from the storage; no writes are needed. A more 'efficient' attack would be to use a tiny (but unique) Zope-Version string to request a page that loads alot of zodb objects into the connection cache, for example as a seach page. -- Toby Dickenson http://www.geminidataloggers.com/people/tdickenson