Clojure is using Murmur3 throughout:
DJB, Jean-Philippe Aumasson, and Martin Boßlet have shown that Murmur3 is not resilient against hash collision attacks:
"Hash-flooding DoS reloaded: attacks and defenses" talk by DJB, Jean-Philippe Aumasson, and Martin Boßlet
"Breaking Murmur: Hash-flooding DoS Reloaded"
Python, Ruby, JRuby, Haskell, Rust, Perl, Redis... have all switched to SipHash
Last year Google dropped CityHash from Guava and replaced it with SipHash
SipHash Guava Implementation
SipHash Java reference implementation
Thanks, we've talked about this issue and some possible things we could do, but didn't have a ticket for it yet.
While the Java 7 approach relied on (attempting) to properly seed hash maps with string hash codes, that was all dropped in Java 8, which addressed DoS collision hash attacks by instead improving the data structure to switch from linear collisions to a red/black tree (log-time) for collisions. It's possible a similar approach could work in Clojure as well.
One workaround that could be used now is to wrap map keys in a custom type that implements IHashEq and implements an alternate hash function.