What is an SSL/TLS Exhaustion DDoS Attack?
SSL is a method of encryption used by many network communication protocols to improve security and address privacy concerns. As more transactions and services are protected by SSL, attacks on SSL secured services are on the rise. Some of these DDoS attacks are actually standard flood and TCP connection-based state exhaustion attacks that have been used for years to disrupt both secured and clear text services but have now been adapted to attack SSL services.
What Are the Signs of an SSL/TLS Exhaustion DDoS Attack?
An SSL DDoS attack targets the SSL handshake protocol either by sending worthless data to the SSL server which will result in connection issues for legitimate users or by abusing the SSL handshake protocol itself.
There are numerous known and potential DDoS attacks which exploit the SSL handshake to exhaust server resources. The Pushdo botnet accomplishes this quite easily by sending garbage data to a target SSL server. The SSL protocol is computationally expensive and it generates extra workload on the server to process garbage data as a legitimate handshake. Firewalls don’t help in this case because they are usually not capable of differentiating between valid and invalid SSL handshake packets.
Another SSL-based DDoS attack tool is the THC-SSL-DOS tool, which works by completing a normal SSL handshake but then immediately requests a renegotiation of the encryption method. As soon as the renegotiation completes, it requests another renegotiation, and so on. If the server has SSL renegotiation disabled (a standard security best practice), then the tool simply closes the SSL connection as soon as the negotiation completes and opens a new connection to start the negotiation process all over again. This is extremely computationally expensive and is effective at making services unavailable to legitimate users due to resource exhaustion.
There are numerous other potential DDoS attacks that target various aspects of the SSL negotiation process to cause server overload and denial of service.
Why Are SSL/TLS Exhaustion DDoS Attacks Dangerous?
SSL/TLS Exhaustion DDoS Attacks present a real danger because a single home computer can take down an entire SSL-encrypted web application. A cluster of computers are capable of knocking out a large farm of secured online services. These types of DDoS attacks are highly popular because they require minimal efforts for maximum impact. Each SSL session handshake exhausts 15 times more resources from the server side than from the client side.
How to Mitigate and Prevent an SSL/TLS Exhaustion DDoS Attack
The recommended approach to preventing an SSL/TLS Exhaustion DDoS Attack is to:
- Put DDoS protection at the data center edge – in front of the DDoS attack surface.
- Be as invisible as possible, avoiding becoming part of the DDoS attack surface.
- Employ multiple levels of detection. Use individual host behavior including limiting the number of simultaneous connections and how often new connections can be established, analyze aggregate behavior of multiple hosts, check for known DDoS attack tool signatures, including JA3 TLS fingerprints. Also, analyze other attributes like botnet traffic, IP location, reputation, etc.
- Employ multiple levels of mitigation, such as packet-based, header-based, behavioral, and challenge response techniques that identify infected hosts and spoofed addresses, also use white and black lists to control access to services.
- Automate as much as possible, provide manual controls, and report what is going on (where traffic is coming from, where it is going, what is requested, rates, what was blocked, what was passed). In short, stop DDoS attacks before they reach the attack surface and enable the data center to do what it was designed for.