Forget DDoS, attacking Secure Sockets Layer handshakes is much more effective.
Hackers have released a denial of service (DoS) tool that purportedly allows one computer on a standard DSL connection to knock out a web server on a 30 Gigabit link.
The attack tool THC-SSL-DOS, released on Monday by German group The Hackers Choice (THC), exploits the heavier processing required by a server to establish a Secure Sockets Layer (SSL) protected connection compared with the client it is connected to.
“Establishing a secure SSL connection requires 15x more processing power on the server than on the client,” THC claimed.
Instead of using distributed IP connections to over power a web server on a faster connection, the tool allows a single IP to hammer the SSL handshake process, which on typical server would be limited to around 300 handshakes per second, it added.
“A DSL connection is not an equal opponent to challenge the bandwidth of a server. This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link,” THC explained.
Just 25 per cent of a single computer’s processing would be required to pull off that type of attack.
“Our tests reveal that the average server can be taken down from a single IBM laptop through a standard DSL connection,” THC said on its blog.
"Taking on larger server farms who make use of SSL Load balancer required 20 average size laptops and about 120kbit/sec of traffic.”
The attack works optimally on servers that support “SSL renegotiation” - a handshake process that occurs over an already established SSL connection, for example when the server requires additional client authentication - while a minor tweak would make work on servers that did not support what they claimed was a redundant but often enabled feature.
“Renegotiating key material is a stupid idea from a cryptography standpoint,” THC said. “If you are not happy with the key material negotiated at the start of the session then the session should be re-established and not re-negotiated.”
It claimed it released the tool after THC members realised the tool had leaked to the public a few months ago.
THC members demanded industry deliver a replacement to SSL, which has come under attack attack several times in recent months, most recently by the hackers targeting certificate authorities such as DigiNotar and Comodo.
While no real fix existed to prevent such attacks, the group recommended organisations disable SSL renegotiation and invest in an SSL accelerator.