THC SSL DoS/DDoS Tool Released For Download

A German group of Hackers known as Hackers Choice have released a program they assert will allow a single computer to take down a Web server using a secure connection

THC-SSL-DOS is a tool to verify the performance of SSL.Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.

This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed. This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.

Usage:
./thc-ssl-dos 127.3.133.7 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err

Comparing flood DDoS vs. SSL-Exhaustion attack:

A traditional flood DDoS attack cannot be mounted from a single DSL connection. This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server.

This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link.

Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.

The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes.

The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

Tips & Tricks for whitehats

1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, ... or the secure database port).

Counter measurements:

No real solutions exists. The following steps can mitigate (but not solve) the problem:

1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator

Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.

You can download THC-SSL-DOS here:

Windows: thc-ssl-dos-1.4-win-bin.zip
Linux: thc-ssl-dos-1.4.tar.gz

Hackers break SSL encryption used by millions of sites

Researchers discovered that the encryption that's supposed to protect us while surfing the web is totally exploitable by hackers with the necessary know-how.

Thai Duong and Juliano Rizzo plan to demonstrate a proof-of-concept code which will prove that SSL protocols are not as secure as everyone thought them to be.

The researchers claim that their Browser Exploit Against SSL/TLS code, or BEAST, will prove to the world that any cryptographic protocol before TLS 1.1 is vulnerable and can be deciphered fairly easily.

They will attempt to decode an authentication cookie used to log-in to a PayPal account, fact which will diminish the world's faith in one of the foundation blocks of internet security.

Even though later protocols, such as the TLS 1.1 and 1.2 don't present the same weakness, these versions are yet to be implemented into websites and browser applications, which means that most popular websites are unprotected.

The algorithm was laid down in the form of a JavaScript that intercepts encrypted cookies transferred by websites during the authentication process.

“BEAST is different than most published attacks against HTTPS,” stated Duong.

“While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

What up until now has been considered to be more of a theoretical weakness has now become something real that puts us all in peril. BEAST is supposed to decrypt the authentication cookie used to access a PayPal account in 10 minutes, which is far less than anyone would expect.

So why don't website and browser developers do something about it, especially since TLS 1.1 is available since 2006?

In order to efficiently update all the security protocols, the process would have to be done by all the major players at once, otherwise, whenever a fix is attempted, incompatibilities will prevent applications that rely on the old system to work.

Out of all the browsers currently available, only Opera implements TLS 1.2 by default, while in Internet Explorer the technology is there, but lies dormant, waiting to be manually activated.

Google Chrome and Mozilla Firefox seem to be the last in this race as they seem to be waiting for each other to start the implementation.