[erlang-questions] Efficient Denial of Service Attacks on Web Application Platforms and it's effects in Erlang?

Jesper Louis Andersen jesper.louis.andersen@REDACTED
Fri Dec 30 14:04:13 CET 2011

On 12/30/11 10:47 AM, Dmitrii Dimandt wrote:
> Specifically, I'm worried about
> - Yaws
> - Mochiweb
> - Webmachine
> - Misultin
> - Cowboy
The most worrisome place in Erlang is if you are using ETS in a mode 
where the underlying runtime uses a Hash, i.e, set or bag semantics. The 
ordered semantics use a tree and are thus not vulnerable - and the hash 
may not be either, but I don't know the details of that. There is a 
reason Dan J. Bernstein went for using critbit/radix/patricia trees in 
most of his software due to this. It is kind of a timing attack in a 
similar form.

What you should be worried about is this: A user can control an input 
which ends up being a key in a hash table. If this is true, then the 
table may be a problem if the user can craft collisions. The simplest 
solution is probably to lace the key with some "salt" or build up the 
hash so it is a family and change it such that an enemy attacker doesn't 
know what values to use in order to create collisions. Or you can chose 
a hash table structure without the problem in the first place.

But the quick Erlang fix is to use an ordered ETS table where 
applicable. Problem solved.

Jesper Louis Andersen
   Erlang Solutions Ltd., Copenhagen, DK

More information about the erlang-questions mailing list