Flooding SSL connections is one of the most common DDoS attacks
DDoS attacks are in the news all the time these days. We’ve gone in-depth on DDoS before, but for those of you just joining us a Distributed Denial of Service attack is when multiple systems flood the bandwidth or resources of a targeted system. Basically, you get a bunch of computers to send a bunch of traffic at a server until it crashes. An SSL Flood is one such attack.
But before we get into what an SSL flood is, we probably need to cover a couple of other things first. Namely, Transmission Control Protocol, which serves as the first layer of connection. We’re not going to go too in-depth into the technical side of things, but TCP flood attacks have been around for years and will likely continue to persist on account of the fact that DDoS detection and mitigation is largely reactive – not proactive. By the time you realize you’re being DDoSed, you’re probably already seeing this:
Providers are getting more sophisticated in their ability to detect TCP flood attacks, though. And in turn – after all, this is a proverbial game of cat and mouse – the DDoSers are becoming more sophisticated and beginning to attack other layers.
Namely, the SSL/TLS layer.
What is an SSL Flood?
An SSL Flood or SSL Renegotiation attack takes advantage of the processing power needed to negotiate a secure TLS connection on the server side. It either sends copious amounts of garbage data to the server or constantly asks to renegotiate the connection, thus straining the server’s resources beyond its limits and knocking it offline.
In terms of examples in the wild, there is the PushDo botnet, which targets the SSL/TLS handshake by overloading the SSL server with garbage data in an attempt to flood it. Due to the nature of how the SSL/TLS protocol is built, it can be computationally expensive when a large number of requests flood the server.
Another instance of a popular flood attack that targets the SSL handshake is the THC-SSL-DOS tool which was originally positioned as a “bug” in the SSL protocol. The THC-SSL-DOS tool targets the feature that renegotiates the encryption method used for the connection. Immediately after a successful connection, the tool would renegotiate with the server to use a new encryption method which would require the server to recompute the request.
F5 found a way to deal with this second kind of attack by simply ignoring any connection that requested renegotiation a set number of times in a given timeframe. This had the added benefit of tricking the attacker into thinking the attack was working when in fact the requests were being ignored.
While we’ve only covered two major instances of flood attacks targeting SSL, there are more being uncovered on a daily basis. Sadly, with the ever-evolving landscape of the internet – appliances and software can only do so much to combat DDoS attacks. Even major providers equipped with the latest and greatest appliances and software fall victim to DDoS attacks on a daily basis.
It’s best to be prepared to mitigate and have an action plan that can be spun up in minutes instead of waiting for the attack to stop.