lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 2 Nov 2011 14:07:36 -0700
From: coderman <coderman@...il.com>
To: Marc Heuse <mh@...sec.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: THC SSL DOS tool released

On Wed, Nov 2, 2011 at 1:21 AM, Marc Heuse <mh@...sec.de> wrote:
> ...
> still you dont need a gpu, even with renegotiation disabled and hardware
> acceleration present.
> Just don't use openssl (or similar libraries).

indeed.

reminds me of the vanity onion generator shallot. you could do this
with legitimate keys and take forever, or you could generate weak keys
quickly to find a prefix in reasonable time.

(in this case, legitimate handshakes are not strictly required for
testing, but it would be nice to keep that option. for example,
establishing an upper bound of concurrent SSL/TLS connections for load
balancer / server benchmarks. it takes me forever to do this in
software. i can actually stress with hardware acceleration performing
full handshakes. i've had to test upwards of 1.5MM concurrent sessions
per endpoint on such systems; this is not a theoretical need :)


> and the thc-ssl-dos is a proof of concept code, and could be enhanced to
> do be more effective too.

since we're on the subject:

- cipher suite probing to find un-accelerated suites or more
computationally expensive suites supported by a target.

- client certificate support (with either static|fixed, pre-generated,
or on-demand client cert generation)


regardless, this is a handy tool. even if i have to manually edit out
the script kiddie pisser. :P

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ