SSL Attack DDoS Testing

The relevance of SSL encryption or Secure Socket Layer encryption is on the rise, making online shopping and banking more secure. Accordingly, SSL DDoS attacks have rapidly gained favour with cyber criminals. Almost any company who is using SSL encryption in order to protect their websites is at risk of SSL attacks.

There are multiple platforms from which hackers can execute SSL attacks. However, SSL attacks are difficult to detect and extremely hard to mitigate against. The low-risk, high-reward nature of SSL/TLS vulnerability ensures that these trends will continue, placing organizations at risk of breach and unplanned system downtime.

Simulating SSL Attacks with DDoS Testing

activereach can verify that your SSL daemons are not susceptible to attack, and offers the following SSL attack types:

  • SSL Exhaustion: The SSL Regeneration attack is the most common form of SSL Exhaustion attack. All seek to fill SSL connection slots, ideally with a large CPU impact as well as memory exhaustion.
  • SSL Hit and Run: This is a flood type of attack. SSL data decryption is costly in CPU time. In this variant the attacker connects and starts SSL handshaking but then disconnects (perhaps before handshaking has completed) and reconnects multiple times.
  • SSL Regeneration: This is a flood type of attack, sometimes known as an SSL Handshake Attack. When data is sent in an SSL session, it must be decrypted by the target system (whether that be a web server or an SSL offloading device like a loadbalancer) and that costs CPU time. But an attacker need not even send data, they can simply request an SSL handshake multiple times – this is cheap for the attacker to send but costly for the target to process.
  • THC-SSL Attack: SSL encryption is a compute-intensive activity and the THC-SSL tool takes advantage of this in two ways – firstly it makes multiple SSL connections to a server and then secondly it uses the Renegotiation function to recompute the hashes on the connection many hundreds or thousands of times in a single connection. The intention is that the web server (or the SSL offload portion of the load balancer) becomes CPU bound and unable to answer any new incoming connection requests.

Please browse the activereach DDoS Dictionary for the full range of DDoS attacks that can be simulated our Managed Testing platform.