Tool lets hackers launch a denial-of-service attack from a single PC over a DSL connection.
SSL is in the hot seat again: A new, free tool is now circulating that can take down an HTTPS Web server in a denial-of-service attack using a single laptop via a DSL connection.
Researchers with a hacker group called The Hackers Choice (THC) Tuesday released the so-called THC-SSL-DOS tool that abuses the SSL renegotiation feature, which basically re-performs the encryption handshake.
The tool lets an attacker use a single connection to relentlessly perform the renegotiation with the SSL server, eventually overwhelming it. "It's a constant renegotiation. Instead of forming new connections over and over again ... it increases the overhead of the server," said Tyler Reguly, manager of security research and development with nCircle.
It all comes down to an SSL feature--SSL renegotiation--that isn't typically needed for Web servers. "Unless you wanted to change the encryption level, it's not a necessity. Some SSL VPNs make extensive use of it, but it's not needed in the Web browsing world," Reguly said.
The hackers who wrote the tool recommend disabling SSL renegotiation. But even that won't completely prevent such a denial-of-service attack. "It still works if SSL renegotiation is not supported but requires some modifications and more bots before an effect can be seen," the THC hackers said in a statement.
For the tool to take down server farms with SSL load balancing, it requires using about 20 "average size" laptops and 120 Kbps of traffic, they said.
The new tool is reminiscent of the Slowloris attack tool that keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing, and OWASP's Slow HTTP Post tool. There's also the open-source slowhttptest tool that checks a server's vulnerability to a Slowloris-type attack.
Enterprise Vulnerabilities From DHS/US-CERT's National Vulnerability DatabaseCVE-2018-12716 PUBLISHED: 2018-06-25
The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its l...
An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial o...
GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was ...