New denial of service tool knocks out encrypting servers

Lucas Clemente Vella lvella at gmail.com
Wed Oct 26 05:08:56 UTC 2011


2011/10/26 Eric Griffith <egriffith92 at gmail.com>:
> http://www.h-online.com/security/news/item/New-denial-of-service-tool-knocks-out-encrypting-servers-1366564.html
>
> I link the article to make sure everyone see's it; but also to frame a
> question. The "Fix" seems to be to simply disable SSL-Renegotiation so
> that its not hammered over and over. The question: How do you disable
> SSL Renegotiation on Nginx? I tried googling "Nginx Disable SSL
> Renegotiation" but all that came back was patches to add the ability
> TO disable it in Nginx, no actual config option. Anyone know?

The real thing is here:
http://www.thc.org/thc-ssl-dos/

Just by looking over it, it seems there is no generic solution to the
problem, but a specific defense to this attack could be to limit the
throughput of SSL handshakes, and to queue pending requests,
prioritizing the host with the least number of handshake requests in
this queue. Also, more than a sane number of handshake requests from a
single host could be dropped.

-- 
Lucas Clemente Vella
lvella at gmail.com



More information about the nginx mailing list