There is a distributed denial of service (DDOS) attack making news this week called THC-SSL-DOS, and it’s stirring up some discussion about the renegotiation feature of SSL. Some are saying this is a flaw in SSL. It is not. SSL renegotiation is a feature; not a flaw to be fixed. The attack is primarily another DDOS attack.
A better user experience
Renegotiation is a feature that makes it possible to adjust the parameters of an SSL handshake without requiring an entirely new SSL session. This allows for an improved user experience, a must have for most Ecommerce, media, cloud providers, and SaaS sites.
Here is just one example: a web user visits a web site that is SSL encrypted. After spending some time shopping on that site anonymously the user decides to purchase or log in. Renegotiation will allow the SSL connection with that site to adjust to authenticate the user without requiring a break in the user experience. This way, all the information the user collected as an anonymous site visitor is maintained and protected when they change their status to an authenticated customer.
Protect yourself and others from DDOS attacks
DDOS attacks are an unfortunate reality for our digital world. As with any other attack vector, it will continue to be a race between bad actors who seek to achieve wide scale attacks, and legitimate organizations who work to defend their networks from an expanding threat landscape. However, there are many countermeasures available to prevent or minimize the effectiveness of a DDOS attack, such as SSL accelerators, additional hardware, clean pipe solutions, and more. It is also a very good idea to run malware scans and vulnerability assessments across your network to help protect your assets against a malware infection that could contribute to the effectiveness of an attack.
A truly effective DDOS attack often uses malware to take over an otherwise legitimate machine as a bot to help propagate the attack. So please, guard against inadvertently enabling attacks on others. Make sure you are keeping your anti-virus protection up to date on all your machines.