A group of researchers has released a tool that they say implements a denial-of-service attack against SSL servers by triggering a huge number of SSL renegotiations, eventually consuming all of the server’s resources and making it unavailable. The tool exploits a widely known issue with the way that SSL connections work.
The attack tool, released by a group called The Hacker’s Choice, is meant to exploit the fact that it takes a lot of server resources to handle SSL handshakes at the beginning of a session, and that if a client or series of clients sends enough session requests to a given server, the server will at some point fail. The condition can be worsened when SSL renegotiation is enabled on a server. SSL renegotiation is used in a number of scenarios, but most commonly when there is a need for a client-side certificate. The authors of the tool say that the attack will work on servers without SSL renegotiation enabled, but with some modifications.
“Interesting here is that a security feature that was supposed to make SSL more secure makes it indeed more vulnerable to this attack: SSL Renegotiation was invented to renegotiate the key material of an SSL connection. This feature is rarely used. In fact we could not find any software that uses SSL Renegotiation. Yet it’s enabled by default by most servers,” the researchers said in a blog post.
The tool, which the researchers released for both Windows and Unix, implements the attack by establishing a large number of SSL connections with a given server. They said that the attack can be mitigated by servers that have SSL acceleration hardware installed, which speeds up the processing of the SSL operation. The researchers say that the attack can be executed with just one client on a typical home link.
“A traditional flood DDoS attack cannot be mounted from a single DSL connection. This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server. This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link,” the advisory on the SSL DoS attack says.
Researchers have known about the problems with the SSL negotiation process for a long time and there have been other discussions about the issue over the years. In a post on Full Disclosure, Marsh Ray, a developer at PhoneFactor, who helped identify a serious flaw in SSL a couple of years ago, wrote that researchers have been considering this problem for some time.
“Anyone who cared enough to think about it would know that the basic idea was possible. From time to time people would rediscover various angles on the SSL DoS and for various reasons not go through with publishing the tool. This meant hard data was lacking and many folks who depend on the technology are insufficiently aware of their exposure,” he wrote in the post.