LiteSpeed Against Thc-ssl-dos

October 26th, 2011 by Anti-DDoS , Security 3 Comments

thc-ssl-dos script was published two days ago, and it has been posted all-over the internet. You may wonder if LiteSpeed is vulnerable to this attack. The short answer is

NO

in our lab, we tried it against LSWS 4.1.6 release.

thc-ssl-dos-1.4> src/thc-ssl-dos [target_ip] 443 --accept
     ______________ ___  _________
     \__    ___/   |   \ \_   ___ \
       |    | /    ~    \/    \  \/
       |    | \    Y    /\     \____
       |____|  \___|_  /  \______  /
                     \/          \/
            http://www.thc.org

          Twitter @hackerschoice

Greetingz: the french underground

Waiting for script kiddies to piss off................
The force is with those who read the source...
Handshakes 0 [0.00 h/s], 1 Conn, 0 Err
Handshakes 0 [0.00 h/s], 181 Conn, 0 Err
Handshakes 0 [0.00 h/s], 181 Conn, 0 Err
Handshakes 0 [0.00 h/s], 181 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 231 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
Handshakes 0 [0.00 h/s], 233 Conn, 0 Err
ERROR: Target has disabled renegotiations.
Use your own skills to modify the source to test/attack
the target [hint: TCP reconnect for every handshake].

Can we block it? you may wonder.

YES

Just set “Connection soft Limit” and “Connection hard limit” under “Server”->”Security”->”Per client throttling”, we set soft limit to 20, hard limit to 30, and did the test again.

 

thc-ssl-dos-1.4> src/thc-ssl-dos [target_ip] 443 --accept
     ______________ ___  _________
     \__    ___/   |   \ \_   ___ \
       |    | /    ~    \/    \  \/
       |    | \    Y    /\     \____
       |____|  \___|_  /  \______  /
                     \/          \/
            http://www.thc.org

          Twitter @hackerschoice

Greetingz: the french underground

Waiting for script kiddies to piss off................
The force is with those who read the source...
Handshakes 0 [0.00 h/s], 1 Conn, 0 Err
SSL: error:00000000:lib(0):func(0):reason(0)
SSL: error:00000000:lib(0):func(0):reason(0)
SSL: error:00000000:lib(0):func(0):reason(0)
SSL: error:00000000:lib(0):func(0):reason(0)
SSL: error:00000000:lib(0):func(0):reason(0)

LiteSpeed immediately blacklisted the IP and rejected SSL connections from that IP. Actually, normal HTTP connections will be rejected as well.

How about the form of attack in their private release, which repeatedly reestablish new HTTPS connections instead of using SSL negotiation?

We have an answer as well, Stay tuned!

To be continued…


Categories:Anti-DDoS , Security

Related Posts


Comments