SSL attacks: After the mass introduction of technologies, security gaps are becoming known that even attackers can perfectly exploit. The encryption technology SSL is no exception to this rule and has shown a large number of published vulnerabilities that force users to switch to new, more secure versions and ultimately to a replacement protocol such as Transport Layer Security (TLS).
However, exploiting newly identified vulnerabilities is not the only way SSL is used as a weapon in the hands of malicious attackers. According to Radware, SSL attacks are increasingly used to obscure and further complicate the detection of attack traffic in both network and application-level threats.
SSL Attacks: Many Forms
SSL attacks are popular with attackers because it only takes a small number of packets to cause denial of service to a fairly large service. Attackers launch attacks that use SSL because each SSL session handshake uses 15 times more resources on the server than on the client. As a result of this buff effect, even a small attack can cause crippling damage.
SSL-based attacks take many forms, including:
- Encrypted SYN floods. These attacks are similar in nature to normal, unencrypted SYN flood attacks in that they exhaust the resources available to complete the SYN ACK handshake. The difference is that these attacks add to the challenge by encrypting the traffic and forcing the use of SSL handshake resources.
- SSL renegotiation. Such attacks initiate a regular SSL handshake and require the key to be renegotiated immediately. The tool repeats this renegotiation request over and over until all server resources are exhausted.
- HTTPS floods. Generate floods of encrypted HTTP traffic, often as part of multi-vector attack campaigns. In addition to the effects of "normal" HTTP floods, encrypted HTTP attacks have a few other challenges, such as: B. the burden of encryption and decryption mechanisms.
- Encrypted attacks on web applications. Campaigns for multi-vector attacks also increasingly use attacks on web application logic that are not based on DoS. Due to the encryption of the data traffic, these attacks often happen unnoticed by countermeasures against DDoS and protective mechanisms for web applications.
Difficult detection and containment
In the same way that SSL and encryption protect the integrity of legitimate communications, they also obfuscate many of the attributes of traffic used to determine whether traffic is malicious or legitimate. "Identifying malicious traffic within encrypted traffic streams is like finding a needle in a haystack in the dark," said Michael Tullius, Managing Director DACH at Radware. “Most security solutions struggle to identify and isolate potentially malicious traffic from encrypted traffic sources for further analysis and potential mitigation.”
Many solutions that can provide some level of decryption tend to rely on a request rate limit, which results in the attack being effectively terminated. However, it also blocks legitimate traffic. Finally, many solutions require the customer to share server certificates, which makes implementation and certificate management difficult.
Protection against SSL attacks
The unfortunate reality is that the majority of DDoS attack protection solutions only offer protection against certain types of attacks and in many cases they have to contend with SSL attacks. To provide effective protection, the bottom line is that solutions must offer full attack vector coverage (including SSL) and high scalability to meet growing demands and provide effective protection. In particular, the defense against SSL attacks must support all common versions of SSL and TLS and enable asymmetrical use in which only the incoming encrypted data traffic passes through the mitigation engine. It should also use behavioral analysis to isolate suspicious encrypted traffic to limit its impact on legitimate users. Ultimately, such a solution should provide advanced challenge / response mechanisms for validating encrypted traffic that is flagged as suspicious but only affects the first user session.
More on this at Radware.com
About Radware Radware (NASDAQ: RDWR) is a global leader in application delivery and cybersecurity solutions for virtual, cloud and software-defined data centers. The company's award-winning portfolio secures the company-wide IT infrastructure and critical applications and ensures their availability. More than 12.500 enterprise and carrier customers worldwide benefit from Radware solutions to quickly adapt to market developments, maintain business continuity and maximize productivity at low cost.