New wave of DDoS attacks on the way.

It seems like there is a new tool just been released from the hacker group THC which could make DDoS attacks much easier to launch by novice user than ever before. This is likely to be a real headache for server admins worldwide.

Im not going to provide the source for this article :

THC SSL DoS/DDoS Tool Released For Download : 24oct 2011

THC-SSL-DOS is a tool to verify the performance of SSL. Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed.

This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.

Comparing flood DDoS vs. SSL-Exhaustion attack

A traditional flood DDoS attack cannot be mounted from a single DSL connection. This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server.

This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link. Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.

The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes. The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

The main problem is that the average server can do 300 handshakes per second. This would only require 10-25% of your laptops CPU.

Counter measurements :

No real solutions exists. The following steps can mitigate (but not solve) the problem:

-Disable SSL-Renegotiation
-Invest into SSL Accelerator

Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.

I found another article that suggests that not all servers are vulnerable though :

Most HTTPS sites already have SSL Renegotation turned off, so they aren't vulnerable. Apache 2.2.14, IIS 7.0, and OpenSSL 0.9.8l and earlier all shipped with SSL Renegotiation enabled by default, making them potential targets. If you have newer versions, SSL Renegotiation is disabled by default. An Admin might've changed the setting, though, so it wouldn't hurt to make sure SSL Renegotiation is turned off.

reply to post by PhoenixOD


Interesting stuff, but why no source?

Curious.

Originally posted by mr-lizard
reply to post by PhoenixOD

 

Interesting stuff, but why no source?

Curious.

Because the source is from a hacking site and includes a download link for the tool.

Originally posted by PhoenixOD

Originally posted by mr-lizard
reply to post by PhoenixOD

 

Interesting stuff, but why no source?

Curious.

Because the source is from a hacking site and includes a download link for the tool.

The source is NOT a hacking site. They are a non commercial security group. Not all hackers are bad, many push the boundaries of technology and find security holes which in turn forces the corporations to make their product more secure, so YOU get what YOU are paying for. Instead of having to buy another bogus security tool. All security innovation comes from hackers. If you believe the MSM that all hackers are malicious, trespassing vandals then you are severely mistaken.

About

THC has assembled novel hackers from around the world. Our mission is to expose fishy security products and make sure that your rights are protected. Founded in 1995 THC has published over 70 papers and software releases. In contrast to most security companies, THC aims at analyzing and preventing novel, emerging security problems. The group fosters independet research not driven by commercial interests and paradigms. Currently, THC is among the top non-commercial security groups worldwide.

read their site www.thc.org
and also read the difference between white hat and black hat hackers.
visit www.hackaday.com for some good harware hacking ideas
and remember anon are NOT hackers they are script kiddies.

easy fix I see. Just turn off renegotiation.
This will be an issue for companies with no IT staff.

reply to post by CrimsonMoon

The source is NOT a hacking site. They are a non commercial security group. Not all hackers are bad, many push the boundaries of technology and find security holes which in turn forces the corporations to make their product more secure, so YOU get what YOU are paying for. Instead of having to buy another bogus security tool. All security innovation comes from hackers. If you believe the MSM that all hackers are malicious, trespassing vandals then you are severely mistaken.

While the German based THC group may not claim to be hackers. The article i have quoted in the OP IS from a hacking site and it includes a download link to the tool.

Originally posted by PhoenixOD
reply to post by CrimsonMoon

 

The source is NOT a hacking site. They are a non commercial security group. Not all hackers are bad, many push the boundaries of technology and find security holes which in turn forces the corporations to make their product more secure, so YOU get what YOU are paying for. Instead of having to buy another bogus security tool. All security innovation comes from hackers. If you believe the MSM that all hackers are malicious, trespassing vandals then you are severely mistaken.

While the German based THC group may not claim to be hackers. The article i have quoted in the OP IS from a hacking site and it includes a download link to the tool.

The source of the tool is THC, it was written as proof of concept. Whatever source you are refering to will be a script kiddie site not a hacking site. Don't tarnish hackers with the MSM definition of 'hacker'.

Any tool can be used as a weapon does not mean that the manufacturer is malicious after all should we now ban all screw drivers and stanley knives?

My above point still stands.

Whatever source you are refering to will be a script kiddie site not a hacking site. Don't tarnish hackers with the MSM definition of 'hacker'.

Just because a hacking site has a section in it to do with "tools" does not make it a strictly script kiddie site. Stop getting on your high horse over labels. The source article was not from the THC site it was from a site that contained information on methods of all manor of hacking , virology and exploits that could be used for malicious purposes so i decided to not include a direct link in the OP in case the MODS here didnt take to kindly to it.