Hackers use SSL security tool to attack servers

Group claims that an average server can be taken offline using only a single laptop and a broadband connection

Researchers have released details of a tool that they claim enables denial-of-service (DoS) attacks by using SSL (Secure Sockets Layer), a cryptographic protocol designed to improve internet security.

The tool was released by a group called "The Hacker's Choice" (THC), and, according to its web site, it is unique among DoS tools.

"The tool departs from traditional DoS tools as it does not require any bandwidth and just a single attack computer," a THC representative wrote on the site.

Traditional DoS attacks bombard a server with requests until its processing capacity is full, preventing genuine users from accessing any content it hosts.

In order to generate sufficient requests, most DoS tools, including that used by hacktivist group Anonymous to attack Paypal and Mastercard's servers, among others, rely on simultaneous attacks from a large number of users.

This new tool differs in that it can operate from just one computer. Rather than bombarding a server with requests for information, it sends multiple session requests, requiring multiple SSL handshakes (or renegotiations) to authenticate the identities of both parties.

This requires a large amount of server resources, which eventually will cause the server to fail.

Hackers use SSL security tool to attack servers

Group claims that an average server can be taken offline using only a single laptop and a broadband connection

The THC blamed issues with the way that SSL is coded for the exploit.

"We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem.

"SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century."

The THC representative explained that SSL has three major vulnerabilities.

"In 2009 a vulnerability was disclosed that broke the encryption of SSL, making all SSL traffic unsafe. In 2011, various Certification Authorities got hacked [exposing SSL keys], which also makes all SSL traffic unsafe."

Fred Mauer, a senior cryptographer at THC, added that he had already had serious doubts about the policy of allowing private companies access to SSL keys before this year's breaches.

"We warned in 2002 about giving hundreds of commercial companies - so-called Certification Authorities - a master key to all SSL traffic," he said.

Finally, the THC said that SSL renogotiation is overly complex, which leads to heavy server loads and the potential for this exploit when multiple sessions are persistently restarted.

"And last but not least the immense complexity of SSL Renegotiation strikes again in 2011 with the release of THC-SSL-DOS."

The THC described its attack tool as 'proof of concept', designed to expose the frailties of SSL. It called for the security industry to step in and redesign internet security.

"It's time for a new security model that adequately protects the citizens."

The group claims that an average server can be taken offline using only a single laptop and a broadband connection, through the use of this tool.