GERMAN HACKER GROUP The Hacker's Choice (THC) has released a Secure Sockets Layer (SSL) denial of service (DoS) tool that claims to require just a single machine and minimal bandwidth.
THC's SSL-DoS tool is a proof of concept that the group claims will "disclose fishy security in SSL". The group claims the tool works well if the server supports SSL renegotiation and will still work even if the server has it disabled, though it will require something of a brute force technique.
One of THC's biggest claims is that its SSL-DoS tool can take down servers with relatively little resource usage. To illustrate, the group says it can take down an average server with a single laptop using a broadband connection. Even more impressive is THC's claim that a server farm could be taken offline by just 20 run-of-the-mill laptops and 120kbits/s of bandwidth.
In THC's release statement the group was surprised that so many servers had SSL renegotiation enabled. THC wrote, "SSL renegotiation was invented to renegotiate the key material of an SSL connection. This feature is rarely used. In fact we could not find any software that uses SSL renegotiation. Yet it's enabled by default by most servers."
THC cites "complexity is the enemy of security" as a mantra, and if the group's claim that few services actually use SSL renegotiation really is true, it's rather surprising that so few system administrators have bothered to turn the service off.
Perhaps THC's SSL-DoS tool will wake up system administrators to disable SSL renegotiation and help jumpstart research into improving SSL security. µ