mailing list archives
Re: THC SSL DOS tool released
From: Marc Heuse <mh () mh-sec de>
Date: Wed, 02 Nov 2011 09:21:15 +0100
Am 02.11.2011 00:44, schrieb coderman:
On Tue, Nov 1, 2011 at 4:14 PM, Marsh Ray wrote:
I want an excuse to buy a smokin new video card as much as the next
guy, but if anyone ever bothered to look at the protocol they'd
realize the attacker doesn't actually need to do any crypto.
i don't want to use 20 laptops to do what can be done with one (when
renegotiation disabled and hw accel present)
i've got a radeon mobility in this lappy for a reason!
still you dont need a gpu, even with renegotiation disabled and hardware
Just don't use openssl (or similar libraries).
you can send the intial communication yourself before its the client's
task to do CPU intensive operations and then just close the connection
and the thc-ssl-dos is a proof of concept code, and could be enhanced to
do be more effective too.
PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/