Zer0Byte

Geekiest Techno News

THC’s SSL DOS TOOL Download Now


thc- SSL dos Tool download now

According t o THC this is a proof of concept tool that exploits a vulnerabity in SSL. It can knock of a server off the internet by exhausting the CPU power. This tool is by far not complete and can be greatly enhanced to further the impact.

Comparing flood DDoS vs. SSL-Exhaustion attack:

A traditional flood DDoS attack cannot be mounted from a single DSL connection. This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server. This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link. Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.

The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes.

The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

 

Tips & Tricks for whitehats

  •  The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
  •  Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
  •  Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, … or the secure database port).

Counter measurements:

No real solutions exists. The following steps can mitigate (but not solve) the problem:

1. Disable SSL-Renegotiation

2. Invest into SSL Accelerator

Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.

Download THC’s SSL DOS Tool

Categories: Linux, Tools, TOP NEWS, Windows