There currently is no way to define the parameters that CGI.pm will accept. Any good CGI program will check its parameters and ignore the ones it doesn't expect. Some will even produce errors if there are extra, unexpected parameters. In any case, this happens after the query string has been parsed and too late to prevent this DoS attack. It wouldn't be too complicated to modify CGI.pm to take a code reference, regular expression, or list to validate the parameters against.

The simplest fix is probably to change the hash function inside of Perl. Very few programs depend on the internals of the hash implementation, and those that do deserve to be broken. The quickest fix is if there are arbitrary parameters to vary those parameters randomly on startup or per hash table. The paper suggests using a better, less deterministic hash function.