Which hash functions built into the web server would they attack?
I can't think of a specific time in a normal HTTP request that would use a user-supplied hash.
I would assume only a minority of pages on the average site would eat CPU so surely the sensible defense to this would be to impose a maximum CPU usage on these parts so the rest of the website continues to work.
good point, so the idea would be to supply something like:
page.php?x=1&y=1...
where the x and y keys are going to have the same hash value, so that when it uses those vars in a page it will hit the same hash bucket and become O(n) not O(1)?
Of course you would want to send a lot of different vars in.
Yup, though I'd probably pass those in using a POST request. A 5,000,000 character long log entry sticks out a bit, and most people aren't logging POST params by default.
I can't think of a specific time in a normal HTTP request that would use a user-supplied hash.
I would assume only a minority of pages on the average site would eat CPU so surely the sensible defense to this would be to impose a maximum CPU usage on these parts so the rest of the website continues to work.