Python -R函数

Question

While scrolling through all python options, I found that python contains an option to "[turns] on hash randomization, so that the __hash__() values of str, bytes and datetime objects are “salted” with an unpredictable random value. Although they remain constant within an individual Python process, they are not predictable between repeated invocations of Python." (source) .

The official documents refer this document http://www.ocert.org/advisories/ocert-2011-003.html that is supposed to provide more information, however, it doesn't provide any information what such a "crafted HTTP requests" looks like. All relevant links on the site are dead. I know that this can be fixed by calling python -R , however, I'm more interested in the details.
How can one HTTP request make 100% of the server CPU for several hours and how can randomizing the hash value fix that? Is it creating some kind of a dead lock? (I know that a HTTP request can take long if the script is broken (infinity for/while loop, goto s) or is doing a very expensive task but I assume that this isn't the case).

Answer 1

Salting hash with an unpredictable salt is used to prevent collision attacks .

A collision attack, in one world, is an attack targeting the hash table algorithm, which normally operates in O(1), but can be tricked to operate in O(n).

Tricking an hashtable algorithm is simple: An hashtable implementation is usually slower when storing objects having a common hashed value, it's named a collision. It's slower because the two values are stored together, for exemple, in a linked list. So if you can produce a large quantity of keys that ALL collide, you're forcing the hashtable to store them all in a linked list, which is damn slow and eats a lot of CPU.

To exploit this, you have to know the hash algorithm, to be able to predict and generate conflicting keys. If the hash is salted by a value you don't know, you'll not be able to generate colliding keys.