LiteSpeed Against Thc-ssl-dos

thc-ssl-dos script was published two days ago, and it has been posted all-over the internet. You may wonder if LiteSpeed is vulnerable to this attack. The short answer is

NO

in our lab, we tried it against LSWS 4.1.6 release.

thc-ssl-dos-1.4> src/thc-ssl-dos [target_ip] 443 --accept
     ______________ ___  _________
     \__    ___/   |   \ \_   ___ \
       |    | /    ~    \/    \  \/
       |    | \    Y    /\     \____
       |____|  \___|_  /  \______  /
                     \/          \/

http://www.thc.org

          Twitter @hackerschoice

Greetingz: the french underground

Waiting for script kiddies to piss off................
The force is with those who read the source...
Handshakes 0 [0.00 h/s], 1 Conn, 0 Err
Handshakes 0 [0.00 h/s], 181 Conn, 0 Err
Handshakes 0 [0.00 h/s], 181 Conn, 0 Err
Handshakes 0 [0.00 h/s], 181 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
ERROR: Target has disabled renegotiations.
Use your own skills to modify the source to test/attack
the target [hint: TCP reconnect for every handshake].

Can we block it? you may wonder.

YES

Just set “Connection soft Limit” and “Connection hard limit” under “Server”->”Security”->”Per client throttling”, we set soft limit to 20, hard limit to 30, and did the test again.

thc-ssl-dos-1.4> src/thc-ssl-dos [target_ip] 443 --accept
     ______________ ___  _________
     \__    ___/   |   \ \_   ___ \
       |    | /    ~    \/    \  \/
       |    | \    Y    /\     \____
       |____|  \___|_  /  \______  /
                     \/          \/

http://www.thc.org

          Twitter @hackerschoice

Greetingz: the french underground

Waiting for script kiddies to piss off................
The force is with those who read the source...
Handshakes 0 [0.00 h/s], 1 Conn, 0 Err
SSL: error:00000000:lib(0):func(0):reason(0)
SSL: error:00000000:lib(0):func(0):reason(0)
SSL: error:00000000:lib(0):func(0):reason(0)
SSL: error:00000000:lib(0):func(0):reason(0)
SSL: error:00000000:lib(0):func(0):reason(0)

LiteSpeed immediately blacklisted the IP and rejected SSL connections from that IP. Actually, normal HTTP connections will be rejected as well.

How about the form of attack in their private release, which repeatedly reestablish new HTTPS connections instead of using SSL negotiation?

We have an answer as well, Stay tuned!

To be continued…

zp8497586rq

Tags: , , ,

3 Responses to “LiteSpeed Against Thc-ssl-dos”

  1. George says:

    Thanks for the info, by default litespeed sets connection limits soft/hard to 10000, in light of the-ssl-dos news, what would normal values to set ? the docs recommend for soft limit 5-10 and hard limit 10-50, so would soft 10 and hard 50 be sufficient where no attack exists right now but to set it 'just in case' situation ?

  2. Animoden says:

    Litespeed is really improssive you said is it 9 times faster than apache , i say it is 20 times faster and better than apache , keep the good stuff going litespeed , and god bless !

  3. h4xr says:

    Waiting for script kiddies to piss off.. lol