Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
SSL connections can be used to take down servers from a single computer.
A tool released for download (Windows | Unix) by German interest group the Hackers Choice exploits asymmetric requirements of SSL connections that demand up to 15 times more processing power in servers than clients.
OpenSSL can also be used.
The attacks created thousands of SSL renegotiations from a single TCP connection.
An average server could be taken offline by using about 30 per cent of a computer’s processing capacity.
The group said all SSL implementations were affected.
“A laptop on a DSL connection can challenge a server on a 30Gbit link,” the group said in a statement.
“The SSL handshake is only done at the beginning of a secure session and only if security is required. Servers are not prepared to handle large amount of SSL handshakes.”
The attack also worked without SSL renegotiation by establishing new TCP connections for new handshakes.
The group refused to release a tool that would take down servers that do not support SSL renegotiation.
However it did detail a brief bash script to exploit the renegotiation attack using OpenSSL.
-----BASH SCRIPT BEGIN----- thc-ssl-dosit() { while :; do (while :; do echo R; done) | openssl s_client -connect 127.0.0.1:443 2>/dev/null; done } for x in `seq 1 100`; do thc-ssl-dosit & done-----BASH SCRIPT END-------
-----BASH SCRIPT BEGIN-----
thc-ssl-dosit() { while :; do (while :; do echo R; done) | openssl s_client -connect 127.0.0.1:443 2>/dev/null; done }
for x in `seq 1 100`; do thc-ssl-dosit & done-----BASH SCRIPT END-------
The SSL attacks were not the first to migitate the large bandwidth capacity that serves as a defense for servers. The SlowLoris DoS allows a single TCP connection to exhaust and down servers by sending partial requests that keep connections open.
To reduce susceptibility to the SSL handshake attack, the group said renegotiation should be disabled.
An SSL accelerator could be used but this could be overwhelmed by multiple SSL-DoS attacks. Ports other than 443 could also be targeted.
“No real solutions exist ... somebody should fix this.”
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
