New DOS tool overloads SSL servers with ease

The tool takes advantage of a feature in SSL that can be maliciously exploited

A newly released denial-of-service (DOS) tool can be used to bring down SSL servers using an average laptop computer and a standard DSL connection.

The hacking outfit decided to release the tool, called THC-SSL-DOS, now because it has already been leaked online a couple of months ago. "We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again," a THC member said.

It's worth pointing out that even without SSL renegotiation enabled, attackers can still use THC-SSL-DOS successfully against servers. However, such attacks would require more than a single laptop.

"It still works if SSL renegotiation is not supported but requires some modifications and more bots before an effect can be seen," the group noted. "Taking on larger server farms who make use of SSL load balancers required 20 average size laptops and about 120kbit/sec of traffic," it added.

This is not the first time when SSL renegotiation exposed servers to security risks. Back in November 2009, a Turkish grad student devised a proof-of-concept man-in-the-middle attack that exploited a vulnerability in this SSL feature to steal Twitter login credentials passed over secure connections.


Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon