[TLS] SSL Renegotiation DOS
"Jorge A. Orchilles" <jorge@orchilles.com> Tue, 15 March 2011 11:30 UTC
Return-Path: <jorge@orchilles.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E52C3A6C7B for <tls@core3.amsl.com>; Tue, 15 Mar 2011 04:30:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.714
X-Spam-Level:
X-Spam-Status: No, score=-1.714 tagged_above=-999 required=5 tests=[AWL=-0.307, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.001, J_CHICKENPOX_24=0.6, J_CHICKENPOX_26=0.6, RCVD_IN_DNSWL_LOW=-1, URI_HEX=0.368]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2eEPnTFfBi0N for <tls@core3.amsl.com>; Tue, 15 Mar 2011 04:30:10 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 4F8363A6B3A for <tls@ietf.org>; Tue, 15 Mar 2011 04:30:09 -0700 (PDT)
Received: by fxm15 with SMTP id 15so491653fxm.31 for <tls@ietf.org>; Tue, 15 Mar 2011 04:31:33 -0700 (PDT)
Received: by 10.223.75.196 with SMTP id z4mr1377721faj.83.1300188691842; Tue, 15 Mar 2011 04:31:31 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by mx.google.com with ESMTPS id n26sm365273fam.13.2011.03.15.04.31.30 (version=SSLv3 cipher=OTHER); Tue, 15 Mar 2011 04:31:31 -0700 (PDT)
Received: by fxm15 with SMTP id 15so491608fxm.31 for <tls@ietf.org>; Tue, 15 Mar 2011 04:31:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.61.18 with SMTP id r18mr1288312fah.140.1300188688497; Tue, 15 Mar 2011 04:31:28 -0700 (PDT)
Received: by 10.223.124.10 with HTTP; Tue, 15 Mar 2011 04:31:28 -0700 (PDT)
Date: Tue, 15 Mar 2011 08:31:28 -0300
Message-ID: <AANLkTin2i3+K8oV68pZFJ0xabjEugJLePyZTTaZSr0VE@mail.gmail.com>
From: "Jorge A. Orchilles" <jorge@orchilles.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="0015173fef66eb3c8f049e83c4e1"
Subject: [TLS] SSL Renegotiation DOS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2011 11:30:11 -0000
Hello all, Marsh Ray has invited me to present my research and report on SSL/TLS Renegotiation Denial of Service on this mailing list. I have posted this on my site and will paste here for your feedback: http://orchilles.com/2011/03/ssl-renegotiation-dos.html *SSL/TLS Renegotiation Denial of Service* An SSL/TLS handshake requires at least 10 times more processing power on the server than on the client. The handshake is only performed at the beginning of a secure connection to establish it. When SSL/TLS Renegotiation is enabled on the server, a user is allowed to send a renegotiation request which initiates a new handshake. Since it takes much less resources for a client to perform a handshake, requesting multiple handshakes per second could cause a denial of service on the server side SSL/TLS interface. Therefore, if a malicious user on one host requests multiple renegotiation requests it will exhaust the server’s resources and not allow any other user to establish a connection. This attack is different than a Distributed Denial of Service (DDOS) as it does not require the volume, or botnet, to exhaust the network connection. Instead it exhausts the server resources from a single host requiring only a single TCP/IP socket. A single server can perform between 150-300 handshakes per second. While a single client can request up to 1000 handshakes per second. A preventive measure to this issue would be to disable SSL/TLS Renegotiation. The vendor of your specific SSL Implementation should have documentation on disabling this “feature.” Performing rate-limiting on new incoming TLS connections AND renegotiations would also be a preventive method; most implementations only perform rate-limiting on new connections if at all. A mitigation would be to use an SSL Accelerator, although adding one or two more hosts to your attack would render it useless as well. Current DOS and DDOS detection and mitigation strategies will not work with this attack as the initial handshake is legit and the renegotiation requests are made directly with the server after the network and application layer controls/filters. There are multiple ways to determine if SSL/TLS Renegotiation is enabled. Nasko Oskov <http://netsekure.org/2009/11/tls-renegotiation-test/> site, Nessus has a plugin for it<http://www.nessus.org/plugins/index.php?view=single&id=42880> ,Qualys has a site to test for it <https://www.ssllabs.com/ssldb/index.html>, and you can do so manually with OpenSSL (thanks to Ivan Ristic<http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html> ): - openssl s_client -connect ip:port - HEAD / HTTP/1.0 - R The Hackers Choice <http://www.thc.org/> semi-silently released a proof of concept tool <http://www.thc.org/thc-ssl-dos/thc-ssl-dos-1.4.tar.gz> on February 28, 2011 at DC4420 <http://dc4420.org/> that performs the described denial of service against servers that allow SSL/TLS Renegotiation. I recommend reading the source code before running it and ensure you have permission to run a denial of service attack against the target. To use the tool, I used BackTrack: - Download: wget http://www.thc.org/thc-ssl-dos/thc-ssl-dos-1.4.tar.gz - Extract: tar -zvxf thc-ssl-1.4.tar.gz - View files and source: cd thc-ssl-dos/src - Edit the source: vim thc-ssl-dos.c - I recommend adding a 1 instead of 0 to the two flags required to run the program. You may also edit the max amount of connections. - Configure: cd .. Then: ./configure - Install: make all install - Run: cd src Then: ./thc-ssl-dos ip port - Options include: -l x where x is the number of connections, the default is 400. I have calculated this as a High risk issue using CVSS v2: 8.6 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:W/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:H) I would like to thank all that provided feedback and peer review for this issue: Ron Gula and Tenable, Steve Dispensa, Nasko Oskov<http://netsekure.org/>, Marsh Ray, and Kai Engert. Please leave a comment or use the contact form<http://orchilles.com/contact> to provide feedback or request denial of service proof of concept testing on your site. Best Regards, Jorge Orchilles Best Regards, Jorge Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Nikos Mavrogiannopoulos
- Re: [TLS] SSL Renegotiation DOS Steve Dispensa
- Re: [TLS] SSL Renegotiation DOS Joe Orton
- Re: [TLS] SSL Renegotiation DOS Dr Stephen Henson
- Re: [TLS] SSL Renegotiation DOS Steve Dispensa
- Re: [TLS] SSL Renegotiation DOS Martin Rex
- Re: [TLS] SSL Renegotiation DOS Eric Rescorla
- Re: [TLS] SSL Renegotiation DOS Marsh Ray
- Re: [TLS] SSL Renegotiation DOS Martin Rex
- Re: [TLS] SSL Renegotiation DOS Steve Dispensa
- Re: [TLS] SSL Renegotiation DOS Peter Gutmann
- Re: [TLS] SSL Renegotiation DOS Martin Rex
- Re: [TLS] SSL Renegotiation DOS Peter Gutmann
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles