I was reading an article about a theoretical exploit of SSL at the Internet Storm Center’s Diary. Of course, SSL is the security protocol that is supposed to give us a warm fuzzy when we send our credit card information over the internet; but that security comes at a price. I’ve worked with a few SSL off-load devices and load balancers over the years, and the fact that there’s a market for such a thing should tell you something. As the article points out, the critical metric for these devices is sessions established per second. Our modern information security model is math intensive by design, and that makes the very security a bottleneck and potential exploit, at least for a denial of service attack (hopefully nothing as nasty as a buffer overflow).
For a real life example of this, consider the TSA inspection points at the airports; the search of the bags and of your person is somewhat time intensive, and it’s something that everyone (or most everyone, anyway) has to go through. For those who remember pre-9/11, when we weren’t quite as concerned about security in the US, this process didn’t exist, and people could move for quickly through the airport (generally speaking!). Last year, some people were trying to protest the relatively new body scanners by opting for a hand search, hoping to bog down the system during the holiday rush. It seems like an utter failure in retrospect, due to lack of participation, but it might have been nasty. On the other hand, I’m not sure that airports are too concerned about having too many people in their terminals, between the new restrictions about who is allowed through, and the restrictions on the flow of foot traffic caused by the inspection lines.
In the same respect, if an attack against SSL could shut down the security mechanism on a server without approaching the maximum bandwidth of a server, it could be possible to initiate a denial of service with far fewer attack devices. As the article points out, even scaling up with off-load devices is not as much protection as in the past, since the ratio of attackers to targets is still much more favorable than a bandwidth attack, which is fairly brute-force and resource intensive. Currently, this type of attack is theoretical, but the article was written to call attention to a proof of concept tool developed by a hacker group, so it may be in our future. These type of clever denial of service attacks are not new; vulnerabilities in the ICMP protocol (smurf attack) and the TCP/IP stack (teardrop attack) have been exploited this way in the past, when a small amount of data could be crafted with malicious intent, before the advent of the ‘zombie armies’ of hijacked PC’s doing the bidding of a botnet.
It’s important in system design to make sure that a security mechanism doesn’t introduce new vulnerabilities, or at least to make sure that those vulnerabilities are considered and mitigated.