Attack Tool Exploits SSL Vulnerability to Create DoS Attack

“A German hacker group has released a new proof-of-concept tool for denial of service (DoS) attacks that exploits a weakness in SSL.

According to the group, known as The Hackers Choice (THC), the SSL vulnerability can be used to kick a server off the Internet.” [1]

A denial of service attack is probably the most widespread and easiest to accomplish by a novice hacker attack that is out there. It is especially popular with “hacktivist” groups like THC mentioned in the article because of the simplicity and lack of real knowledge that it requires to accomplish. There are many ways to accomplish a DoS attack, and the article addresses one such method that has been recently brought to the foreground. According to the article, establishing an SSL connection on a server requires 15 times more processing power than on the client [1]. These hackers have developed a tool to use that necessary processing power to their advantage in creating a DoS attack. Specifically, it targets SSL renegotiation. When the server doesn’t like the key, it tries to renegotiate the connection. The tool they made creates thousands of connection attempts to an SSL server on a single TCP connection, which eats up the processing power of the server and ultimately results in DoS. The group claims (and I agree) that SSL renegotiation is stupid. If you’re not happy with the key, terminate the connection and start a new one. This tool mainly targets servers that use SSL renegotiation.

One way of mitigating this tool’s effect is to disable SSL renegotation and use SSL accelerator hardware. But the group claims that even that will not stop the tool completely [1].

[1] http://www.securityweek.com/attack-tool-exploits-ssl-vulnerability-create-dos-attack

Advertisements

2 thoughts on “Attack Tool Exploits SSL Vulnerability to Create DoS Attack

  1. I wonder if there is a positive use for this tool? if not, can the creators be held at all responsible for the chaos it can potentially cause or does the fact that they are in Germany relieve them of this responsibility? this is more of a ethical question as discussed in class.

    • Well the title of the article is “Attack Tool…” so I don’t think there’s any way for this to be used for good purposes. I’m not aware of any reciprocity that the United States has with Germany with regards to cyber crime.

Comments are closed.