SSL Servers No Match For Laptop-Based Hack

  /     /     /  
Publicated : 22/11/2024   Category : security

SSL Servers No Match For Laptop-Based Hack


Tool lets hackers launch a denial-of-service attack from a single PC over a DSL connection.


SSL is in the hot seat again: A new, free tool is now circulating that can take down an HTTPS Web server in a denial-of-service attack using a single laptop via a DSL connection.
Researchers with a hacker group called The Hackers Choice (THC) Tuesday released the so-called THC-SSL-DOS tool that abuses the SSL renegotiation feature, which basically re-performs the encryption handshake.
The tool lets an attacker use a single connection to relentlessly perform the renegotiation with the SSL server, eventually overwhelming it. Its a constant renegotiation. Instead of forming new connections over and over again ... it increases the overhead of the server, said Tyler Reguly, manager of security research and development with nCircle.
It all comes down to an SSL feature--SSL renegotiation--that isnt typically needed for Web servers. Unless you wanted to change the encryption level, its not a necessity. Some SSL VPNs make extensive use of it, but its not needed in the Web browsing world, Reguly said.
The hackers who wrote the tool recommend disabling SSL renegotiation. But even that wont completely prevent such a denial-of-service attack. It still works if SSL renegotiation is not supported but requires some modifications and more bots before an effect can be seen, the THC hackers said in a statement.
For the tool to take down server farms with SSL load balancing, it requires using about 20 average size laptops and 120 Kbps of traffic, they said.
The new tool is reminiscent of
the Slowloris attack tool
that keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing, and OWASPs Slow HTTP Post tool. Theres also the open-source slowhttptest tool that checks a servers vulnerability to a Slowloris-type attack.
Read the rest of this article on
Dark Reading
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
SSL Servers No Match For Laptop-Based Hack