This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.
Usage
Comparing flood DDoS vs. SSL-Exhaustion attack
This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link. Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.
The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes. The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).
Tips & Tricks for Whitehats
No real solutions exists. The following steps can mitigate (but not solve) the problem:
You can download THC-SSL-DOS here:
Windows: thc-ssl-dos-1.4-win-bin.zip
Linux: thc-ssl-dos-1.4.tar.gz
Usage
./thc-ssl-dos 127.3.133.7 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 ErrComparing flood DDoS vs. SSL-Exhaustion attack
This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link. Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.
The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes. The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).
Tips & Tricks for Whitehats
- The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
- Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
- Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, … or the secure database port).
No real solutions exists. The following steps can mitigate (but not solve) the problem:
- Disable SSL-Renegotiation
- Invest into SSL Accelerator
You can download THC-SSL-DOS here:
Windows: thc-ssl-dos-1.4-win-bin.zip
Linux: thc-ssl-dos-1.4.tar.gz
0 komentar:
Posting Komentar