THC has released a DOS tool that exploits SSL renegotiation to perform a denial of service on a given SSL server. It uses renegotiation to constantly trigger new SSL handshakes with the server, using one single TCP connection. See . For more information about renegotiation, see InsecureRenegotiation.

The current version of THC’s SSL DOS tool requires the server to honor client-initiated renegotiations in order to work.


[cc lang=”bash”]$ python –reneg [/cc]


A mitigation against the current version of THC’s SSL DOS tool is to prevent the server from honoring client-initiated renegotiations. However, as explained on their website, “The tool can be modified to work without SSL-RENEGOTIATION by just establishing a new TCP connection for every new handshake”.

Download here