THC-SSL-DoS


This tool allows a single computer to knock web servers offline by targeting a well-known weakness in secure sockets layer implementations. All it takes is one computer with a simple Internet connection to use this tool to successfully attack. This is possible because the attack is asymmetric i.e., the single client request can cause the server to invest up to 15 times more resources.

SSL is generally used to prevent sensitive data from being monitored while the data travels between servers or between servers and end-users. This is done by establishing a secure channel in a process called the SSL handshake. This CPU-consuming SSL handshake is only done once, and servers are not prepared to handle large numbers of them. The protocol, however, has a ‘renegotiation’ option that is used to establish a new secret key.

The THC-SSL-DoS tool attacks the server by creating a situation known as SSL exhaustion, in which it renegotiates the keys again and again. Here is where the attack is asymmetric – the renegotiation requires the server to invest 15 times more effort from the CPU than from the attacker. Even if the server does not support the ‘renegotiation’ option, the attacker can alternatively open fresh SSL connections to cause the same affect. The attack, however, can be detected when it is noticed that there are too many SSL handshakes in a short period of time.