- SandBox Information Center
- Malware Analysis Search
- Articoli sulla sicurezza
- Blog sulla sicurezza [EN]
- Livello di pericolosità [EN]
- Minacce attuali di virus
- Tipi di malware [EN]
- Descrizione dei virus [EN]
- Statistiche sulla posta elettronica [EN]
- Testi, white paper generici ed altro
- La tecnologia Norman
Denial of Service attacks against secure web sites
Introduction
Secure communication has been the target of several types of attack this year. In our security article in June, Secure tokens turn insecure, we wrote about the attack against RSA, an event that turned out to have serious consequences for several high-profile vendors of military systems. In September we wrote about breaches in the security authorization model in Secure browsing turns insecure (again). And earlier this month we wrote about BEAST (Browser Exploit Against SSL/TLS).
Yet another threat against systems web communication
Earlier this week another threat against secure communication between a browser and a web server was revealed. The hacker group calling themselves The Hacker's Choice published a tool with the euphonious name THC-SSL-DOS.
This tool has the potential to target web servers running secure SSL protection by invoking a Denial of Service (DoS) attack.
If someone wants to perform a DoS attack against a web server or other type of Internet resource, quite a lot of computer power is required. This is one of the tasks that botnets may be used for. Several computers overwhelm e.g. a server with more requests than the server can manage to handle, leaving the server inaccessible for all legitimate purposes, in a Distributed Denial of Service (DDoS) attack.
Sympathizers with the Anonymous "hive" used DDoS attacks against, among others, VISA, MasterCard and PayPal less than a year ago as a protesting against these organizations' treatment of donations to WikiLeaks. Anonymous is known to prefer the DDoS tool LOIC (Low Orbit Ion Cannon).
The special feature that THC-SSL-DOS offers, is that a DoS attack against a secure web server can be performed from one computer or just a few computers. The reason why is that a web server configured to automatically renegotiate SSL sessions, has to perform extensive tasks to set up the secure communication. If a client reject the session, which is the trick used by THC-SSL-DOS, little computing power and bandwidth on the client side require lot of computing power on the server side.
Mitigation
According to The Hacker's group, the published version of THC-SSL-DOS "exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection".
Web servers may be configured to not use SSL-RENEGOTIATION, which will mitigate the danger that THC-SSL-DOS represents, although the authors claim that the product may be modified to work around this.
The many attacks and vulnerabilites that we have seen recently, strongly suggest that this security model needs strengthening or that it ought to be replaced by something more robust in order to ensure safe and secure communication whenever this is needed.
Using THC-SSL-DOS
THC-SSL-DOS may be used as an attacker's tool, but can of course also be used as a tool to test an organization's secure web servers.
We will strongly advice against using this tool to attack another organization's or person's web servers.
THC-SSL-DOS does not offer any mechanisms for hiding the user's origin, and in several countries, such use may be illegal.
References
