Dictionary<string, ...> and some similar types have built-in defense-in-depth functionality that uses per-instance hash code randomization to defend against hash flooding attacks.
While Hashtable has similar logic on .NET Framework when dealing with string keys, it does not on modern .NET.
While hash codes may be randomized if the instance was created with a comparer like Ordinal, they won't be randomized per-instance.
Description
Dictionary<string, ...>
and some similar types have built-in defense-in-depth functionality that uses per-instance hash code randomization to defend against hash flooding attacks.While
Hashtable
has similar logic on .NET Framework when dealing withstring
keys, it does not on modern .NET. While hash codes may be randomized if the instance was created with a comparer likeOrdinal
, they won't be randomized per-instance.See "Instantiations known safe against hash flooding attacks" section of the
Dictionary
threat model being published in #108864 for more background. cc: @GrabYourPitchforksKnown Workarounds
Use a
Dictionary
instead :)