Today the German hacker group â€œThe Hackerâ€™s Choiceâ€ officially released a new DDoS tool. The tool exploits a weakness in SSL to kick a server off the Internet.
Technical details can be found at http://www.thc.org/thc-ssl-dos.
â€œWe decided to make the official release after realizing that this tool leaked to the public a couple of months agoâ€ said a member of THC who wants to remain anonymous.
The tool departs from traditional DDoS tools: It does not require any bandwidth and just a single attack computer (â€œbotâ€).
The THC-SSL-DOS attack is en par with other resource exhausting DDoS attacks. Some of those methods played a vital role in demonstrations against oppressive governments (like the DDoS attack against Iranâ€™s leader) and against companies that violate free speech (like the DDoS attack against Mastercard for closing Wikileakâ€™s non-profit donation account because of an alleged typo/misspelling in the application form).
â€œHere at THC the rights of the citizen and the freedom of speech are at the core of our researchâ€, says a member of THC in a private interview this morning.
â€œWe are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.â€, Says a THC member, referring to 3 major vulnerabilities disclosed in SSL over the past 3 years.
To list the 3 major vulnerabilities here THC explains: â€œIn 2009 a vulnerability was disclosed that broke the encryption of SSL. De-facto making all SSL traffic unsafe. In 2011 various Certification Authorities got hacked. De-facto making all SSL traffic unsafe _again_.â€
â€œWe warned in 2002 about giving hundreds of commercial companies (so called Certification Authorities) a master key to ALL SSL traffic.â€, says Fred Mauer, a senior cryptographer at THC. â€œOnly a real genius can come up with such an idea!â€.
â€œAnd last but not least the immense complexity of SSL Renegotiation strikes again in 2011 with the release of THC-SSL-DOS.â€.
â€œItâ€™s time for a new security model that adequately protects the citizens.â€.
The THC-SSL-DOS tool is a Proof Of Concept tool to disclose fishy security in SSL. It works great if the server supports SSL Renegotiation. It still works if SSL Renegotiation is not supported but requires some modifications and more bots before an effect can be seen.
Our tests reveal that the average server can be taken down from a single IBM laptop through a standard DSL connection.
Taking on larger server farms who make use of SSL Load balancer required 20 average size laptops and about 120kbit/sec of traffic.
All in all superb results.
Interesting here is that a security feature that was supposed to make SSL more secure makes it indeed more vulnerable to this attack:
SSL Renegotiation was invented to renegotiate the key material of an SSL connection. This feature is rarely used. In fact we could not find any software that uses SSL Renegotiation. Yet itâ€™s enabled by default by most servers.
An old saying comes true all over again: Complexity is the enemy of security.
â€œRenegotiating Key material is a stupid idea from a cryptography standpoint. If you are not happy with the key material negotiated at the start of the session then the session should be re-established and not re-negotiatedâ€, says THC.
- THC-SSL-DOS: http://www.thc.org/thc-ssl-dos
- Reverse SSL: http://eprint.iacr.org/2006/212.pdf
- DDoS explained: http://en.wikipedia.org/wiki/Denial-of-service_attack
Be the first to like this post.