Is IIS vulnerable to the THC SSL DoS attack tool?

There was a recently released tool by THC that can be used to launch Denial of Service (DoS) attacks against servers hosting SSL sites. Besides the traditional bot-net Distributed Denial of Service (DDoS) class attacks, this tool lets a single client use client SSL renegotiation to cause server DoS.

IIS versions 6 and above are NOT affected by the renegotiation DoS attack since http.sys (http driver on Windows Server) disallows client initiated renegotiation in SSL and sends a TCP RST anytime a client attempts a renegotiation. The attack tool will open a new TCP/IP connection for each SSL handshake in this case, making it no different than a regular DDoS attack that would need very large client side resources to execute.

The information used to carry out the attack in this tool is easily mitigated and has been known publicly since March 2010 in the IETF TLS Lists. The gist of all these attacks is that it takes more resources on the server side to complete an SSL handshake than it does on the client side. So any effective front firewall mechanism that is employed to track such requests and clients and block them early on, provide adequate protection against this kind of attack.

Unlike IIS, some other services that use SChannel to perform SSL on Windows Servers may not disable client initiated renegotiation. To globally disable this for all servers and services that use SChannel, follow the guidelines on to disable client initiated renegotiation globally on the server.

No Comments