Forgot your password?
typodupeerror
Encryption Security IT

New Attack Tool Exploits SSL Renegotiation Bug 47

Posted by Soulskill
from the increment-arms-race dept.
Trailrunner7 writes "A group of researchers has released a tool that they say implements a denial-of-service attack against SSL servers by triggering a huge number of SSL renegotiations, eventually consuming all of the server's resources and making it unavailable. The tool exploits a widely known issue with the way that SSL connections work. The attack tool, released by a group called The Hacker's Choice, is meant to exploit the fact that it takes a lot of server resources to handle SSL handshakes at the beginning of a session, and that if a client or series of clients sends enough session requests to a given server, the server will at some point fail. The condition can be worsened when SSL renegotiation is enabled on a server. SSL renegotiation is used in a number of scenarios, but most commonly when there is a need for a client-side certificate. The authors of the tool say that the attack will work on servers without SSL renegotiation enabled, but with some modifications."
This discussion has been archived. No new comments can be posted.

New Attack Tool Exploits SSL Renegotiation Bug

Comments Filter:
  • NON ISSUE (Score:5, Informative)

    by Anonymous Coward on Wednesday October 26, 2011 @12:24AM (#37840906)

    This is like the 3rd or 4th SSL renegotation bug. The last one had only one fix: disable SSL renegotiation altogether. Firefox helped speed it along, but marking ssl servers that allowed renegotiation as insecure. And openssl released an updated version to drop support for it.

    So pretty much every SSL server has renegotiation disabled.

    IIRC it was this bug: CVE-2009-3555 [nist.gov]

    • by BagOCrap (980854)

      I recently noticed that myself. Had to re-enable SSL renegotiation via about:config so I could login to various secure websites with my smartcard.

  • From what I have read, the renegotiation part only made the tool more effective, such that under optimal conditions a single laptop on ADSL was enough to bring down a server on a 30 gigabit connection. An SSL handshake still requires server resources, so perhaps we'll see this used in DDoS tools like LOIC.
    • LOIC DDOS' mostly relies on large bandwiths to disable their target - regardless of the server's processing capacity.
      This issue can be tackled with 3 lines of iptables (ratelimit connections/time and concurrent connections), at least for low capacities.
      Most clients are perfectly capable of HTTP keep-alive and thus we can set the limit significantly lower on HTTPS than on HTTP; all we need is a reverse proxy between Apache and the clients or apache mpm_event.
  • by crazybit (918023) on Wednesday October 26, 2011 @12:57AM (#37841008)
    Considering Facebook API now requires SSL/TLS for Facebook Apps, many servers had to turn on HTTPS just for this. It's just a matter of time until we see this widely exploited.
  • Is it a Bug? (Score:3, Interesting)

    by allo (1728082) on Wednesday October 26, 2011 @01:01AM (#37841020)

    Sounds more like a protocol flaw than a bug.

  • by triemer (569734) on Wednesday October 26, 2011 @01:32AM (#37841144)
    #1 - this has been a topic of conversation for a while #2 - per documentation at apache (Yes, I dare say a majority of web servers are running apache) There is a flag that can turn renegotiation on/off http://httpd.apache.org/docs/2.0/mod/mod_ssl.html [apache.org] Available in httpd 2.0.64 and later, if using OpenSSL 0.9.8m or later The default setting is: SSLInsecureRenegotiation off #3 - which leads to the conclusion that this is overhyped.
  • for i in {1..10}; do (while true; do wget https://poor.server; done)& done

    A dedicated tool may be even more efficient, but bash and wget do the trick too.

  • Good analysis of this at
    http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html [educatedguesswork.org]

    As far as I can tell, Rescorla is trying to polity say this attack is crap. Shocking, yet another low grade hack trying to up publicity.

    • by Mysteray (713473)

      It's a real attack and a real DoS vector. SSL/TLS is definitely weak in this regard.

      But it's not new and it doesn't have much to do with renegotiation.

  • pop3s, imaps, smtps, etc. anything that uses ssl should be tested and is probably vuln (quick dovecot & sendmail tests were). I'd really like to see the "private" code that works w/o renegotiation in order to test against https.

  • by WaffleMonster (969671) on Wednesday October 26, 2011 @03:21AM (#37841476)

    This tool excels in finding bugs and session cache synchronization deadlocks in the latest daily snapshots of openssl.. I found two within 2 minutes..

  • ..Researchers, Hackers, Authors. Sounds like lots of people are involved, or are they all hackers (since they simply released it in the wild, i wouldn't say researchers)

    "A group of researchers has released a tool that they say implements a denial-of-service attack against SSL servers by triggering a huge number of SSL renegotiations, eventually consuming all of the server's resources and making it unavailable. The tool exploits a widely known issue with the way that SSL connections work. The attack tool, released by a group called The Hacker's Choice, is meant to exploit the fact that it takes a lot of server resources to handle SSL handshakes at the beginning of a session, and that if a client or series of clients sends enough session requests to a given server, the server will at some point fail. The condition can be worsened when SSL renegotiation is enabled on a server. SSL renegotiation is used in a number of scenarios, but most commonly when there is a need for a client-side certificate. The authors of the tool say that the attack will work on servers without SSL renegotiation enabled, but with some modifications."

  • iptables (Score:4, Informative)

    by ls671 (1122017) on Wednesday October 26, 2011 @04:41AM (#37841712) Homepage

    INTIF2=vmnet1
    PORTFWIP2=192.168.4.38

    $IPTABLES -A rule_j14 -m limit --limit 120/minute --limit-burst 50 -j ACCEPT
    $IPTABLES -A rule_j14 -m limit --limit 1/minute -j LOG --log-prefix "wharf"
    $IPTABLES -A rule_j14 -j DROP

    let i=0
    while [ $i -lt $EXTIF_LIST_SIZE ]
    do
    for redirport in 25 587 995 21 113 22 563 119
    do

    $IPTABLES -A INPUT -i ${EXTIF_LIST[i]} -p tcp --dport ${redirport} \
    -m state --state NEW -m limit --limit 1/minute \
    -j LOG --log-prefix "wharf wharf"

    $IPTABLES -A INPUT -i ${EXTIF_LIST[i]} -p tcp --dport ${redirport} \
    -m state --state NEW -j DROP
    $IPTABLES -A FORWARD -i ${EXTIF_LIST[i]} -o $INTIF2 -d ${MAIL_FW_IP[i]} -p tcp \
    --dport $redirport -m state --state NEW -j rule_j14

    $IPTABLES -A FORWARD -i ${EXTIF_LIST[i]} -o $INTIF2 -d ${MAIL_FW_IP[i]} -p tcp \
    --dport $redirport -m state --state ESTABLISHED,RELATED -j ACCEPT

    $IPTABLES -A PREROUTING -t nat -p tcp -d ${EXTIP_LIST[i]} --dport $redirport \
    -m state --state NEW -m hashlimit --hashlimit 60/hour --hashlimit-burst 15 \
    --hashlimit-htable-expire 3600000 --hashlimit-mode srcip,dstport \
    --hashlimit-name j14-${redirport} \
    -j DNAT --to ${MAIL_FW_IP[i]}:$redirport

    done
    let i=$i+1
    done

    • by sgt scrub (869860)

      for redirport in 25 587 995 21 113 22 563 119

      Not allowing any 443 (HTTPS) traffic should do the trick :P IMHO I would rethink allowing ftp and ssh from the outside world.

  • Don't SSL renegotiations have, or follow, packets with the PSH flag set? I'll have to check it out; but, I seem to remember it looks like one or the other. If someone knows off the top of their head it would be helpful.

    • by sgt scrub (869860)

      It looks like PSH is set ON the renegotiation packet.

      08:54:25.852659 IP localhost.localdomain.51515 > localhost.localdomain.6060: Flags [P.], seq 1:62, ack 1, win 513, options [nop,nop,TS val 19313608 ecr 19313608], length 61
      08:54:25.852793 IP localhost.localdomain.51516 > localhost.localdomain.6060: Flags [P.], seq 1:62, ack 1, win 513, options [nop,nop,TS val 19313609 ecr 19313609], length 61

  • Releasing this so called tool is just a hand out for the criminals that will use it. Why release such a dangerous tool to the public?
  • This is not a bug. We fixed renegotiation with the RFC 5746 RI extension! That said, SSL has long been known to impose more work on the server than on the client and renegotiations are no different than initial handshakes in this respect.

    Servers that accept client-initiated renegotiation make things slightly more efficient for the DoS attacker, it saves him maybe three packets. More significantly, it may bypass mitigations that are only looking for TCP SYN packets. But the attacker's mileage will vary.

    E

Kleeneness is next to Godelness.

Working...