[Zope-dev] version status

Toby Dickenson tdickenson@geminidataloggers.com
Tue, 17 Jun 2003 09:31:37 +0100


On Tuesday 17 June 2003 09:01, Oliver Bleutgen wrote:

> I don't quite understand the nature of this DOS attack after the patch.
> You do requests with REQUEST['Zope-Versiom'] == <big string>.
> If I understand your code correctly (it was bash and perl afterall ;))
> you create version i with a version name str(i)*500000.
> It seems (to me) that the sole cause for this DOS is that zope stores
> the version names in memory, that means you get a memory consumption for
> all version name strings of 10*500000 + 90*500000*2 which is 95.000.000
> bytes, which is roughly the 90M you reported.

The connection cache will also store a cached connection for each version. The 
connection is opened to *read* from the storage; no writes are needed.

A more 'efficient' attack would be to use a tiny (but unique) Zope-Version 
string to request a page that loads alot of zodb objects into the connection 
cache, for example as a seach page.

-- 
Toby Dickenson
http://www.geminidataloggers.com/people/tdickenson