Skip to content

Instantly share code, notes, and snippets.

benmmurphy /
Last active Nov 20, 2020
erlang hash dos review

Erlang hash-dos review.

TLDR. It's easy to generate collisions for phash and phash2 when hashing binaries. Erlang dict uses phash so if its possible to generate quadratic slow down by triggering collisions. ETS uses phash2 so its possible to generate quadratic slow down by triggering collisions in ETS. The good news is that even though erlang maps uses phash2 and its possible to generate collisions it does not seem easy to trigger a quadratic slow down because the hash array mapped trie implementation rehashes the input with a different prefix when it can't find a unique position in the trie and it looks like it is difficult to generate inputs that collide over multiple different prefixes.

This review is going to focus on taking the hash of binaries because this is the most likely user controllable input to the hash functions.


benmmurphy / RESULTS
Created Jul 6, 2018
non durable read benchmarks
synchronous_commit = off
tps = 2555.469688 (excluding connections establishing)
tps = 2627.757181 (excluding connections establishing)
tps = 2727.293028 (excluding connections establishing)
tps = 2511.608749 (excluding connections establishing)
tps = 2440.086908 (excluding connections establishing)
tps = 2534.304940 (excluding connections establishing)
View collect_acks_bench.erl
-export([bench_fifo/0, bench_lifo/0, bench_multiple/1]).
precondition_failed(S, _W) ->
%% NB: returns acks in youngest-first order
collect_acks(Q, 0, true) ->
{lists:reverse(queue:to_list(Q)), queue:new()};
View gist:e3d6ef6f4545683132ae2eb23c3840cb
# frozen_string_literal: true
require "bundler/inline"
rescue LoadError => e
$stderr.puts "Bundler version 1.10 or later is required. Please update your Bundler"
raise e
gemfile(true) do
View gist:d8174b48a436401a882d92ffcc09406d
tcpdump on client
nc server 21
16:18:59.306666 IP CLIENT.59382 > SERVER.ftp: Flags [S], seq 1992877459, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 364841380 ecr 0,sackOK,eol], length 0
16:18:59.310634 IP SERVER.ftp > CLIENT.59382: Flags [S.], seq 2239629857, ack 1992877460, win 32768, options [mss 1460,nop,wscale 3,nop,nop,TS val 1 ecr 364841380,sackOK,nop,nop], length 0
16:18:59.310693 IP CLIENT.59382 > SERVER.ftp: Flags [.], ack 1, win 4117, options [nop,nop,TS val 364841384 ecr 1], length 0
16:18:59.412387 IP SERVER.ftp > CLIENT.59382: Flags [F.], seq 1, ack 1, win 4197, options [nop,nop,TS val 2 ecr 364841384], length 0
16:18:59.412465 IP CLIENT.59382 > SERVER.ftp: Flags [.], ack 2, win 4117, options [nop,nop,TS val 364841485 ecr 2], length 0
16:18:59.412601 IP CLIENT.59382 > SERVER.ftp: Flags [R.], seq 1, ack 2, win 4117, length 0
View leak.js
var Promise = require('promise');
var weak = require('weak');
var makeCancelable = (promise) => {
let hasCanceled_ = false;
const wrappedPromise = new Promise((resolve, reject) => {
promise.then((val) =>
hasCanceled_ ? reject({isCanceled: true}) : resolve(val)
benmmurphy / erlang tls decryption
Created Feb 6, 2017
Dump secret key in wireshark format so tls connections can be decrypted. This uses the erlang:trace functionality which may destroy the performance of your node.
View erlang tls decryption
DumpMS = fun() ->
FindMs = fun(Socket) ->
Pid = element(3, Socket),
Connection = sys:get_state(Pid),
State = element(2, Connection),
Session = element(18, State),
SessionId = element(2, Session),
MasterSecret = element(7, Session),
{SessionId, MasterSecret}
View gist:359297eb0ea14fa6ab05d1b1c96c32b6
echo $'HTTP/1.1 301 Redirect\r\nLocation:\r\n\r\n' | nc -l -p 3000 & open http://localhost:3000
View redis.lua
local fail = function(msg)
print("[-] " .. msg)
local addbyte = function(b8, byte)
local carry = byte
local result = ''
for i=1, string.len(b8) do
View gist:eadd9edf5e77e7c65e868891d40667ac
postgres=# select NULL + 4;
(1 row)
postgres=# select SUM(foo) from (select NULL::integer as foo UNION all select 1) x;
You can’t perform that action at this time.