Solution to DDoS attacks by using the hash conflict vulnerability in PHP

The hash Collision Vulnerability has recently occurred in various languages. Including php, ruby, python, and java. Microsoft's. net is also affected.

Hash collision principle:

Hash is a type of output that converts an input of any length into an output of a fixed length. An output of a fixed length can represent the input in "Actual Application Scenario. Hash Functions are usually translated into Hash functions. Hash is usually used to verify information consistency.

The implementation of Hash functions is diverse, and the SHA-x Series and MDx series are the most widely used in the security field. Hash functions are also divided into Hash Functions with and without keys. Generally, Hash functions are Hash functions without keys. The implementation principle of the Hash algorithm is not discussed here.
 
Due to the fixed Hash length output feature, multiple different inputs may produce the same output. If the values of the hash functions of the two input strings are the same, the two strings are called Collision ). In the theoretical scope, an output string corresponds to an infinite number of input strings, so collision is inevitable.

If a collision is found, it means that we can destroy information consistency without being noticed by the receiver. The process of searching for the Hash collision value specified in the input is called "Hash cracking ". It should be noted that the Hash function must be irreversible, so there is no cracking from the Hash value to the original input (this does not include brute-force cracking. Using a rainbow table is the best method for brute-force cracking, however, it still cannot be ensured that the cracked data is raw data ). Poorly designed Hash algorithms make it easy to find collision values.

Kangle web Server is a cross-platform, powerful, secure, stable, easy-to-use, high-performance, domestic open source web server and reverse proxy server software. Kangle
In addition, kangle is a web server designed for virtual hosts. Allows independent processes and identities of virtual hosts to run. Security Isolation between users. If a user suffers a problem, other users are not affected. Security supports php, asp, asp.net, java, ruby, and other dynamic development languages.

Kangle 2.7.5 adds a maximum post parameter to prevent this vulnerability. Go to the kangle management background 3311 settings. Click Configuration ==> data exchange on the left. The following page is displayed. :

A maximum of POST parameters can be entered. Here, only 2 is required for testing. We recommend that you enter 500. To use this function, you must open and use temporary files. Otherwise, it is invalid. :