Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions

SSL Renegotiation Is Good. DDOS Attacks Are Bad

Created: 26 Oct 2011 • Updated: 18 Dec 2012 • 3 comments
FranRosch's picture
+2 2 Votes
Login to vote

There is a distributed denial of service (DDOS) attack making news this week called THC-SSL-DOS, and it’s stirring up some discussion about the renegotiation feature of SSL. Some are saying this is a flaw in SSL. It is not. SSL renegotiation is a feature; not a flaw to be fixed. The attack is primarily another DDOS attack.

A better user experience

Renegotiation is a feature that makes it possible to adjust the parameters of an SSL handshake without requiring an entirely new SSL session. This allows for an improved user experience, a must have for most Ecommerce, media, cloud providers, and SaaS sites.

Here is just one example: a web user visits a web site that is SSL encrypted. After spending some time shopping on that site anonymously the user decides to purchase or log in. Renegotiation will allow the SSL connection with that site to adjust to authenticate the user without requiring a break in the user experience. This way, all the information the user collected as an anonymous site visitor is maintained and protected when they change their status to an authenticated customer.

Protect yourself and others from DDOS attacks

DDOS attacks are an unfortunate reality for our digital world. As with any other attack vector, it will continue to be a race between bad actors who seek to achieve wide scale attacks, and legitimate organizations who work to defend their networks from an expanding threat landscape.  However, there are many countermeasures available to prevent or minimize the effectiveness of a DDOS attack, such as SSL accelerators, additional hardware, clean pipe solutions, and more.  It is also a very good idea to run malware scans and vulnerability assessments across your network to help protect your assets against a malware infection that could contribute to the effectiveness of an attack.

A truly effective DDOS attack often uses malware to take over an otherwise legitimate machine as a bot to help propagate the attack.  So please, guard against inadvertently enabling attacks on others.  Make sure you are keeping your anti-virus protection up to date on all your machines.

Comments 3 CommentsJump to latest comment

Avkash K's picture

Hi FranRosch,

Thanks for sharing this information.

But currently we have seen some DDOS tools from anonymous (HOIC) which can be used to plan a systematic DDOS attack using a diff http headers bearing diff. source address.

Which makes us believe like a generic traffic flow from diff website users.

I just wanted to have your views if renegotiation can help the hackers in such type of automated DDOS attacks or not??

And how we can prevent ourselves from such type of attacks.


Avkash K

Login to vote
Nayan_lumia's picture

Hi FranRosch,

The information is really helpful, thanks a lot.

I would like to know if a user visits some online shopping website say through a http connection and browse for a few products, now the user clicks on a buy this product button and then he is redirected to an https page for submitting his login as well as credit card details, the user logs in accordingly but now the user thinks that he has selected the wrong product so now again he jumps on the http page browse for the right product clicks buy this product so my question to you is that this time will the browser create a new https session or the previous https session will be continued? How secure is this scenario? What would be the best solution for the above case?

Kindly advice.

Login to vote
DomSYMC's picture

Greetings Nayan,

There are a couple of senarios here. If your customer uses the Back button on their browser after login in the browser will kick them out of the login/https session and they will have to be promted to log in again.

Typically once they log into the site and are under https all browsing after that will be in https. If your customer wants to delete the selected item they would do it after they have logged in and can re-choose what products they want after words while still maintaining the ssl session.

Use Amazon as an example.


Login to vote