Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

SSL renegotiation DOS mitigation

Problem this snippet solves:

See this article for complete details.

Earlier this year, a paper was posted to the IETF TLS working group outlining a very easy denial of service attack that a single client could use against a web server that supports SSL/TLS.

http://www.ietf.org/mail-archive/web/tls/current/msg07553.html

The premise of the attack is simple: “An SSL/TLS handshake requires at least 10 times more processing power on the server than on the client”. If a client machine and server machine were equal in RSA processing power, the client could overwhelm the server by sending ten times as many SSL handshake requests as the server could service. This vulnerability exists for all SSL negotiations; the only mitigation is the ratio between the two participants, which is why SSL acceleration is such a critical feature.

Because BIG-IP uses state-of-the-art hardware crypto-processors, it is certainly not vulnerable to a single attack from a single client. However, it is quite conceivable that someone might very easily modify one of the botnets tools (such as the Low Orbit Ion Cannon that we saw used in the Wikileaks attacks) and thus the attack could become distributed.

How to use this snippet:

This iRule requires LTM v10.1 or higher.

Credits

iRule created by Jason Rahm, David Holmes, Spark, Hoolio, with input by others.