The German hacking groups known as “Hackers Choice” have released a program that they declare will allow for a Web server to be taken down by a single computer using a secure connection.
The program named The THC-SSL-DOS (The Hackers Choice-Secure Socket Layer-Denial of Service) tool was released to the public on Monday. Evidently this tool exploits a flaw in Secure Socket Layer (SSL) renegotiation protocol by barraging and overwhelming a system with numerous requests for secure connections. SSL renegotiation makes it possible for Web sites to create new security keys over and SSL connection that has already been established.
Hackers Choice has announced that it released the exploit to bring attention to the flaws existing in SSL, which enable sensitive data traffic to flow between Web sites and an individual user’s computer without being captured.
According to a blog posting by an anonymous member of the group: “We are hoping that the fishy security in SSL does not go unnoticed,” the member continued with: "The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”
The group has also stated that the exploit will also works on servers which do not have SSL renegotiation enabled, but requires some configuration and the addition of more attacking computers. The group states that this exploit would afford a single IBM laptop to take down an average Web server over a standard DSL connection. Establishing a SSL connection requires
Establishing an SSL connection is 15x more taxing on the processing power of the server than on the client. This program exploits this lopsided property by overloading the server and kicking it off the Internet. This problem affects all SSL implementations today. Vendors have been aware of this problem since 2003 and the topic has been discussed widely.
Both UNIX and Windows flavors of this program are freely available to the public at the following site: http://thehackernews.com/2011/10/hackers-choice-releases-ssl-ddos-tool.html. Thehackernews.com site also gives the following information:
Tips & Tricks for whitehats
1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, ... or the secure database port).
Counter measurements:
No real solutions exists. The following steps can mitigate (but not solve) the problem:
1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator
I find it curious when groups like Hackers Choice release such powerful tools to the general public. I understand the argument that it forces vendors to seriously address the issues, but on the flipside of the coin, until a fix is provided we could see issues across the Internet because anyone with a computer now has the power to attack and potentially temporarily cripple Web sites. I think a better approach would be to announce that they have found an exploit and work with the vendors to correct the holes that they have found rather than arm the masses with a tool like this.
References:
New attack tool targets web servers using secure connections. Retrieved 26 October, 2011 from Web site: http://news.cnet.com/8301-1009_3-20125058-83/new-attack-tool-targets-web-servers-using-secure-connections/?tag=txt;title
Hackers Choice releases SSL-DDOS-Tool. Retrieved 26 October, 2011 from Web site: http://thehackernews.com/2011/10/hackers-choice-releases-ssl-ddos-tool.html
No comments:
Post a Comment