Linda Hui (Hong Kong) - THC SSL - A New Attack with no Resolution

The THC SSL DoS tool exploits the rapid consumption of resources that occurs during SSL handshakes, which are required to establish secure online sessions, to complete its attack.

According to an announcement made by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), cloud computing, smartphones and tablets have become the latest targets for hackers due to their fast growing user bases: around 343 incidents were reported in 2011, 11% more than in 2010. The security incidents involving smartphones include fraudulent website addresses sent by hackers that steal users’ data after they log in.

Now, a new attack tool called THC SSL DoS has recently been discovered, which relies on resource exhaustion to commit DoS attacks against target sites. Recent trends in these attacks show an increased interest in maximizing the impact while minimizing effort, indicating a move away from traditional DoS attacks that focus on overwhelming sites with traffic and toward attacks that focus on rapidly consuming resources instead. Both have the same ultimate goal: overwhelming infrastructure, whether it’s the server or router, to gain access to sensitive data.

How does it work?

Establishing a secure SSL connection requires 15 times more processing power on the server than on the client. THC SSL DoS exploits this asymmetric property by overloading the server and knocking it offline, and further exploits SSL secure renegotiation to trigger thousands of renegotiations via a single TCP connection. This problem affects all SSL implementations today. Vendors have been aware of this problem since 2003 and the topic has been widely discussed.

THC SSL DoS Tool Released

There is no resolution to this exploit. Common mitigation techniques include the use of an SSL accelerator, i.e. a reverse-proxy capable device with specialized hardware designed to improve the processing capability of SSL and associated cryptographic functions. Advanced application delivery controllers in the market, like BIG-IP from F5 Networks, include such hardware by default and make use of its performance and capacity-enhancing abilities to offset the operational costs of supporting SSL-secured communication.

Application Delivery Controller Mitigation

There are actually several ways in which an advanced application delivery controller can mitigate the potential impact of this kind of attack. First and foremost is simply its higher capacity for connections and processing of SSL/RSA operations. An advanced application delivery controller can manage many more connections – secure or not – than a typical web server and thus it may be, depending on the hardware platform on which it is deployed, that the mitigation rests merely in having an application delivery controller in the path of the attack.

In the case that it is not, or if organizations desire a more proactive approach to mitigation, there are two additional options:

1. SSL renegotiation – in part the basis for the attack (it’s what allows relatively few clients to force the server to consume more and more resources). This may break some applications and/or clients, so this option probably ought to be left as a last resort, and the risks must be carefully weighed before deploying such a configuration.

2. iRules – iRules enables intercepting, parsing, modifying, and routing application traffic, making devices extraordinarily flexible, and provides unique application-delivery challenges. An iRule that drops connections over which a client attempts to renegotiate more than five times in a given 60-second interval can be deployed. As noted by the iRule author, Jason Rahm, “By silently dropping the client connection, the iRule causes the attack tool to stall for long periods of time, fully negating the attack. There should be no false positives dropped, either, as there are very few valid use cases for renegotiating more than once a minute.”

Regardless of the mitigating technique used, advanced application delivery controllers, for example BIG-IP, can provide the operational security necessary to prevent such consumption-leeching attacks from negatively impacting applications by defeating the attack before it reaches the application infrastructure.

THC SSL DoS is a new attack that is having an impact on companies globally, however not many companies are aware of this threat. Data is an invaluable enterprise asset, however, which is why enterprises need to implement advanced IT solutions that prevent them from becoming potential targets and create an environment of comprehensive data protection.

By Linda Hui, Managing Director - HK, Taiwan & GCG Strategic Products Development, F5 Networks Hong Kong Limited


« Lalitha Chikkatur (Asia) - The Power of Business Analytics with Visualization


Kathryn Cave (Africa) - South African Jobs: Part 1, The Skilled »


Do you think your smartphone is making you a workaholic?