SSL Renegotiation Vulnerability Exploited via New Attack Tool to Launch DoS Attacks
A German hacker group has released a new proof-of-concept tool for denial of service (DoS) attacks that exploits a weakness in SSL.
According to the group, known as The Hackers Choice (THC), the SSL vulnerability can be used to kick a server off the Internet.
“We decided to make the official release after realizing that this tool leaked to the public a couple of months ago,” an unidentified member of THC said in a blog post.
DDoS has become a favorite tool of hacktivists, and gained significant media attention during the WikiLeaks-related protests last year, when Websites belonging to WikiLeaks critics were hit with attacks.
In a description of the tool published by the group, THC contends that establishing a secure SSL connection requires 15x more processing power on the server than on the client. The tool exploits this by overloading the server and knocking it off the Internet, the group explained, adding that vendors have been aware of this problem since 2003 and that the topic “has been widely discussed.”
“This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection,” the group said.
The tool works best if the server supports SSL renegotiation. If SSL renegotiation is not supported, some modifications and more bots are required before an effect can be seen, the group said.
“Renegotiating Key material is a stupid idea from a cryptography standpoint. If you are not happy with the key material negotiated at the start of the session then the session should be re-established and not re-negotiated,” according to the group.
The tool is currently available for Windows and Unix. For those concerned with mitigation, THC said disabling SSL renegotiation and utilizing SSL accelerator hardware can serve as a stop-gap solution. Both countermeasures however can be circumvented by modifying the tool, the group said.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
