The SSL Renegotiation Attack is Back

Its back in the news anyway.  We wrote about this attack in March of this year and published a couple of iRules that mitigate the problem right at your virtual server.  From what we can tell, the source is the same version (1.4) that we tested back in February.

It is worth noting that the SSL capacity of most modern ADCs is so far above the load that a single client can generate that its probably not even measurable.  But in any case, its good to stay on top of these things.

For the record, here's the optimized version of the iRule that we published earlier this year. 

 

when RULE_INIT {
    set static::maxquery
5
    set static::mseconds 60000
}
when CLIENT_ACCEPTED {
    set ssl_hs_reqs
0
}
when CLIENTSSL_HANDSHAKE {
    incr ssl_hs_reqs
    after $static::mseconds { if {$ssl_hs_reqs > 0} {incr ssl_hs_reqs -1} }
    if { $ssl_hs_reqs > $static::maxquery } {
        after 5000
        log "Handshake attack detected, dropping [IP::client_addr]" 
        drop
    }
}

Published Oct 27, 2011
Version 1.0

Was this article helpful?

No CommentsBe the first to comment