German hackers release tool that could let one laptop take down a server farm

Resource exhaustion is the new DDOS; every server running SSL is vulnerable.

A new tool released by the German hacking collective The Hackers Choice (THC) is designed to take down servers using the power of the security precautions added to keep those servers safe.

The app is one of several high-profile hacking tools released recently that are designed to crash servers not by hitting them with millions of requests from thousands of browsers, as in a Distributed Denial of Service attack.

Instead they use a feature hackers know is built into the server that can be called on freely by a client, but uses far more memory or processing power to run on the server than the client.

Anonymous introduced a new server attack tool called #RefRef based on Resource Exhaustion – wasting so much of a server's power that it crashes.

Anonymous' tool sends a javascript routine to the server, asks that the server replicate the script endlessly and run every copy – until the server chokes on the effort and crashes.

The tool from the German THC – called THC-SSL-DOS – uses a flaw in the Secure Sockets Layer (SSL) protocol that allows a client that has already logged in to a server to ask the server for a new SSL certificate authenticating the session.

The flaw was demonstrated as an effective way to create a man-in-the-middle attack by an IBM security researcher in 2009. To work correctly the attacker would need to have already gained access to the victim's network.

And, although it was possible to insert a small amount of text in the SSL request, which could be used for malware or a SQL injection, the hacker couldn't read the encrypted text that came back.

That made the initial effort to create a usable proof-of-concept exploit that would get Twitter to send the hacker's connection a copy of someone else's username and password as well as the certificate, difficult to pull off.

Microsoft put out a warning about the flaw in February of 2010, a month after the IETF finished a patch to repair the hole.

THC members quoted by the IDG News Service said they have known about the flaw since 2008 and for almost as long, have had a more effective way to use it – one that wasn't fixed by the 2010 patch.

They used the technique to participate in the Anonymous-led DDOS attack on MasterCard last year, according to the IDG News Service story.

Rather than trying to steal a password, the THC tool simply sets up an SSL connection, then asks for another certificate.

The process of generating and providing the certificate puts 15 times as much load on the server as on the client, according to the technical-information page on the THC-SSL-DOS tool.

So one client can get a server to use 15 times the memory and CPU cycles to fulfill a request as the client does to send it – a huge improvement compared to DDOS attacks that leave clients working hard to send out one request after another out to servers that are designed to handle such requests much more quickly than a general-purpose client machine.

On a server with SSL Renegotiation enabled, the tool running on just one laptop might be able to bring down a server by itself.

An average server can handle about 300 SSL handshakes per second before redlining. The client-side portion of that load would use 10 percent to 15 percent of an average laptop's capacity, the THC documentation said.

On servers without SSL Renegotiation enabled and load balancers to help protect them, it might take 20 laptops to take down a server farm, according to THC members quoted in the IDG story.

There are no real countermeasures to stop the attacks, except to disable SSL Renegotiation and buy an SSL Accelerator, the THC paper said.

Even those can be avoided by tweaking the code of the tool, however.

"A better solution is desirable," THC's summary concludes. "Somebody should fix this."

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies