A newly released denial-of-service (DoS) tool can be used to bring down SSL (Secure Sockets Layer) servers using an average laptop computer and a standard DSL connection.
Called THC-SSL-DOS, the tool was created by German hacking outfit The Hackers Choice (THC) and exploits a rarely used, but widely available, feature in the SSL protocol called SSL renegotiation.
SSL renegotiation allows servers to modify the encryption key used to secure a session without actually terminating the connection and, according to the THC, is enabled by default on most servers.
“Renegotiating key material is a stupid idea from a cryptography standpoint,” the hacker group said. “If you are not happy with the key material negotiated at the start of the session then the session should be re-established and not renegotiated.”
Denial-of-service attacks typically involve sending a higher number of requests than servers can process at once. Usually, this requires attackers to at least match the bandwidth of their targets, which is why most DOS attacks are performed in a distributed manner from a large number of computers.
However, this is not the case with SSL exhaustion attacks because servers consume considerably more resources during SSL handshakes than clients. THC-SSL-DOS can trigger thousands of renegotiations via a single TCP connection, thus putting attackers at a clear advantage.
The Hackers Choice claims that running from a laptop with a standard DSL connection, its tool can challenge a server on a 30Gbps link. “The average server can do 300 handshakes per second. This would require 10 to 25 percent of your laptop’s CPU,” the group explains.
This type of attack is not new. In fact, vendors have known about the issue since 2003 and, according to the THC, the method was used in last year’s DoS attacks against MasterCard.
The hacking outfit decided to release the tool now because it has already been leaked online a couple of months ago. “We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again,” a THC member said.
It’s worth pointing out that even without SSL renegotiation enabled, attackers can still use THC-SSL-DOS successfully against servers. However, such attacks would require more than a single laptop.
“It still works if SSL renegotiation is not supported but requires some modifications and more bots before an effect can be seen,” the group noted. “Taking on larger server farms who make use of SSL load balancers required 20 average size laptops and about 120kbit/sec of traffic,” it added.
This is not the first time when SSL renegotiation exposed servers to security risks. Back in November 2009, a Turkish grad student devised a proof-of-concept man-in-the-middle attack that exploited a vulnerability in this SSL feature to steal Twitter login credentials passed over secure connections.