DEV Community

Cover image for SSL Flooding and Renegotiation Attacks
Eden Allen
Eden Allen

Posted on

SSL Flooding and Renegotiation Attacks

SSL Flood Meaning

An SSL flood is a form of Distributed Denial-of-Service (DDoS) attack that takes aim at the handshake process associated with Secure Sockets Layer (SSL)/Transport Layer Security (TLS). It works by overwhelming a server with a wide array of SSL handshake requests.

The several sets of potential SSL handshake requests are at a certain point too intense for servers to handle.

SSL/TLS handshakes are an intensive process and require a great deal of coupled manipulation of server processing power as they result in synchronous operations directly in the server's CPU and memory.

With a means to slow down or shut down servers outright and attack at least a portion of it with objections occurring with forced resolution based on SSL handshake request methods, these malignant clients can rapidly exhaust their own servers.

In addition, as a result of the reliance on this type of script or malicious initiation on a DDOS response through SSL flood-for-attack, it presents a specific form of aggressive locomotive impact against server-side resources as SSL is designed to provide usable encrypted channels between clients and server applications.

How Attackers Exploit Renegotiation?

Renegotiation is another form of SSL/TLS that takes the original ongoing cryptographic parameters established between clients and server characterizations to renew their origination at later times.

Although renegotiation is useful for the purposes of furthering the key or needing to rewrite the encryption parameters for mid-session requests, attackers that exploited the renegotiation model inclusively for SSL handshake request ground, have taken advantage through factors on both.

An SSL flood is a type of Distributed Denial-of-Service (DDoS) attack that targets the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) handshake process.

During this attack, an adversary floods a server with a massive volume of SSL handshake requests, overwhelming its resources.

Since SSL/TLS handshakes are computationally intensive and require significant server-side processing power, even a relatively small number of malicious clients can exhaust the server's CPU and memory, leading to slowdowns or complete service outages.

SSL floods are particularly dangerous because they exploit the very technology designed to provide secure, encrypted communication between clients and servers.

How Do SSL Flood Attacks Work?

SSL flood attacks take advantage of the asymmetric resource usage of the SSL/TLS handshake process to deplete a server's resources.

Unlike traditional DDoS attacks, such as a flood of request packets or bandwidth consumption, an SSL flood presents the more sophisticated approach of exhausting a server's computation resources through an attack.

It is a simplified process consisting of multiple steps that lead to exhaustion of the server's resources and functioning properly:

Initial Connection

The attack starts when the malicious client connects to the server with a normal SSL/TLS handshake. At this stage, nothing looks unusual.

The malicious client sends the "ClientHello" message to start the secure session and the server responds with its certificate and other cryptographic parameters.

This is a critical step because it provides the opportunity to fabricate the presence of legitimate traffic making it much tougher for security systems to quickly distinguish the compromised connections from the legitimate users.

Handshake Overload

Instead of completing a normal data transfer, the attacker periodically initiates more SSL handshakes or in some cases, takes advantage of SSL renegotiation.

Each handshake or renegotiation generates a new server-side processor utilization since it is all resource-intensive work.

Attackers accomplish this either by opening up new SSL connections rapidly, or by continuing to execute renegotiation on existing connections.

In any case, the server finds itself continually responding to a stream of server-side processing resources as the handshakes or renegotiation never end; this leads to a flood of loads with cryptographic operations.

Resource Consumption

The SSL/TLS handshake operation by the server including all components is resource-intensive.

The costs are as follows when processing an SSL handshake:

The key will be exchanged, server will perform and validate the client certificate, and server will validate the digital signature to provide a response while setting one or more parameters to establish symmetric keys.

Although these costs only involve client resources to initiate the handshake, nearly all the server processing costs rest with the server.

With each new handshake or renegotiation request, resources are rapidly exhausted from CPU cycles, memory, and network resources.

Server Exhaustion

The SSL/TLS handshake operation by the server including all components – is resource-intensive.

The costs are as follows when processing an SSL handshake: the key will be exchanged, server will perform and validate the client certificate, and server will validate the digital signature to provide a response while setting one or more parameters to establish symmetric keys.

Although these costs only involve client resources to initiate the handshake, nearly all the server processing costs rest with the server.

With each new handshake or renegotiation request, resources are rapidly exhausted from CPU cycles, memory, and network resources.

Reference

What are SSL Flood and Renegotiation Attacks? How to Prevent It?

Top comments (0)