SSL weakness lets single laptop launch DoS attack on web server

Research collective The Hacker's Choice (THC) has released details of a new type of denial-of-service attack which exploits a known weakness in the Secure Sockets Layer (SSL) system to effectively enable a single laptop to take out a server.

Previously known for its work in highlighting flaws in Vodafone's Sure Signal femtocell product, the group said that it wanted to draw attention to "fishy security in SSL" with the new proof-of-concept tool.

"The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an ageing method of protecting private data which is complex, unnecessary and not fit for the 21st century," said a THC member.

THC-SSL-DOS exploits the fact that establishing an SSL connection requires 15 times more processing power on the server side than the client.

It works best by exploiting the SSL Renegotiation feature to trigger thousands of renegotiations via a single TCP connection, overloading the server.

THC explained that, with the average server able to perform 300 handshakes per second, this would require only 10 to 25 per cent of a typical laptop's CPU.

"The THC-SSL-DOS is a proof-of-concept tool to disclose fishy security in SSL. It works great if the server supports SSL Renegotiation. It still works if SSL Renegotiation is not supported but requires some modifications and more bots before an effect can be seen," said THC.

"Our tests reveal that the average server can be taken down from a single laptop through a standard DSL connection."

THC warned that the two main mitigation methods, disabling SSL Renegotiation and investing in SSL Acceleration, can both be circumvented and urged the community to find a fix for the problem.