What is an SSL/TLS Exhaustion Attack?

What is an SSL/TLS Exhaustion DDoS Attack?

SSL is a method of encryption used by many network communication protocols to improve security and address privacy concerns. As more transactions and services are protected by SSL, attacks on SSL secured services are on the rise. Some of these DDoS attacks are actually standard flood and TCP connection-based state exhaustion attacks that have been used for years to disrupt both secured and clear text services but have now been adapted to attack SSL services.

What Are the Signs of an SSL/TLS Exhaustion Attack?

What Are the Signs of an SSL/TLS Exhaustion DDoS Attack?

An SSL DDoS attack targets the SSL handshake protocol either by sending worthless data to the SSL server which will result in connection issues for legitimate users or by abusing the SSL handshake protocol itself.

There are numerous known and potential DDoS attacks which exploit the SSL handshake to exhaust server resources. The Pushdo botnet accomplishes this quite easily by sending garbage data to a target SSL server. The SSL protocol is computationally expensive and it generates extra workload on the server to process garbage data as a legitimate handshake. Firewalls don’t help in this case because they are usually not capable of differentiating between valid and invalid SSL handshake packets.

Another SSL-based DDoS attack tool is the THC-SSL-DOS tool, which works by completing a normal SSL handshake but then immediately requests a renegotiation of the encryption method. As soon as the renegotiation completes, it requests another renegotiation, and so on. If the server has SSL renegotiation disabled (a standard security best practice), then the tool simply closes the SSL connection as soon as the negotiation completes and opens a new connection to start the negotiation process all over again. This is extremely computationally expensive and is effective at making services unavailable to legitimate users due to resource exhaustion.

There are numerous other potential DDoS attacks that target various aspects of the SSL negotiation process to cause server overload and denial of service.

Why Are SSL/TLS Exhaustion Attacks Dangerous?

Why Are SSL/TLS Exhaustion DDoS Attacks Dangerous?

SSL/TLS Exhaustion DDoS Attacks present a real danger because a single home computer can take down an entire SSL-encrypted web application. A cluster of computers are capable of knocking out a large farm of secured online services. These types of DDoS attacks are highly popular because they require minimal efforts for maximum impact. Each SSL session handshake exhausts 15 times more resources from the server side than from the client side.

How to Mitigate and Prevent an SSL/TLS Exhaustion Attack

How to Mitigate and Prevent an SSL/TLS Exhaustion DDoS Attack

The recommended approach to preventing an SSL/TLS Exhaustion DDoS Attack is to:

  • Put DDoS protection at the data center edge – in front of the DDoS attack surface.
  • Be as invisible as possible, avoiding becoming part of the DDoS attack surface.
  • Employ multiple levels of detection. Use individual host behavior including limiting the number of simultaneous connections and how often new connections can be established, analyze aggregate behavior of multiple hosts, check for known DDoS attack tool signatures, including JA3 TLS fingerprints. Also, analyze other attributes like botnet traffic, IP location, reputation, etc.
  • Employ multiple levels of mitigation, such as packet-based, header-based, behavioral, and challenge response techniques that identify infected hosts and spoofed addresses, also use white and black lists to control access to services.
  • Automate as much as possible, provide manual controls, and report what is going on (where traffic is coming from, where it is going, what is requested, rates, what was blocked, what was passed). In short, stop DDoS attacks before they reach the attack surface and enable the data center to do what it was designed for.

How can NETSCOUT help?

NETSCOUT's Arbor DDoS solution has been protecting the world’s largest and most demanding networks from DDoS attacks for more than a decade. We strongly believe that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.

Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.

Arbor Cloud

Tightly integrated, multi-layer DDoS protection

Arbor Edge Defense

On-Premises

Arbor SP/Threat Mitigation System

High Capacity On-Premise Solution for Large Organizations

NETSCOUT customers enjoy a considerable competitive advantage by getting both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via NETSCOUT Omnis Threat Horizon, an interface to our ATLAS threat intelligence and a DDoS Attack Map visualization.