The Hacker's Choice releases SSL DOS Tool
German hacker group "The Hacker's Choice" officially released a new DDoS tool. The tool exploits a weakness in SSL to kick a server off the Internet.
Establishing a secure SSL connection requires 15x more processingpower on the server than on the client.THC-SSL-DOS exploits this asymmetric property by overloading theserver and knocking it off the Internet.This problem affects all SSL implementations today. The vendors are awareof this problem since 2003 and the topic has been widely discussed.This attack further exploits the SSL secure Renegotiation featureto trigger thousands of renegotiations via single TCP connection.
Download:
Windows binary: thc-ssl-dos-1.4-win-bin.zip
Unix Source : thc-ssl-dos-1.4.tar.gz
Usage:
Use "./configure; make all install" to build and Run : ./thc-ssl-dos 127.3.133.7 443
Tips & Tricks for whitehats
1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, ... or the secure database port).
Counter measurements:
No real solutions exists. The following steps can mitigate (but not solve) the problem:
1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator
More details at THC.