Turnserver resource exhaustion via a TLS/SSL client-side renogiation attack.

Question

Turnserver resource exhaustion via a TLS/SSL client-side renogiation attack.

GoogleCodeExporter opened this issue 9 years ago · comments

Google Code Exporter commented 9 years ago

The turn server is susceptible to a client side initiated TLS renegotiation 
attack.  This attack will consume all processor resources on the host which in 
turn effectively takes down the turn server.

This can be easily reproduced using the THC-SSL DoS tool from a single PC.


Currently using rfc5766-turn-server-3.2.4.1-1.1_1.0.7.2 on SLES 11 SP3 with 
OpenSSL 1.0.1h/i.


Other products are mitigating this attack vector, such as Apache, Nginx, IIS.  

Two possible solutions.  

1) Create a flag which enables/disables client side renegotiation.
2) Implement a limiter.  Nginx is a good example.  
http://nodejs.org/api/tls.html#tls_client_initiated_renegotiation_attack_mitigat
ion 


https://github.com/joyent/node/issues/2726

Original issue reported on code.google.com by bdotstad...@gmail.com on 4 Sep 2014 at 7:05

Google Code Exporter · Answer 1 · Mon Jan 25 2016 09:11:45 GMT+0800 (China Standard Time)

Original comment by mom040...@gmail.com on 4 Sep 2014 at 7:20

Changed state: Accepted

Google Code Exporter · Answer 2 · Mon Jan 25 2016 09:11:45 GMT+0800 (China Standard Time)

will be fixed in 3.2.4.4

Original comment by mom040...@gmail.com on 8 Sep 2014 at 8:29

Google Code Exporter · Answer 3 · Mon Jan 25 2016 09:11:45 GMT+0800 (China Standard Time)

Original comment by mom040...@gmail.com on 9 Sep 2014 at 1:36

Google Code Exporter · Answer 4 · Mon Jan 25 2016 09:11:45 GMT+0800 (China Standard Time)

Fixed in 3.2.4.4

Original comment by mom040...@gmail.com on 12 Sep 2014 at 6:33

Changed state: Fixed