[openssl-users] CVE-2011-1473 fixed version

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Dec 12 12:54:00 UTC 2014


> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Jeffrey Walton
> Sent: Thursday, December 11, 2014 16:26
> To: OpenSSL Users List
> Subject: Re: [openssl-users] CVE-2011-1473 fixed version
> 
> > I wasn't involved at the time, but reading about it now CVE-2011-1473
> > essentially says (as I understand it) that if you fire lots of SSL
> > handshakes at a server it could cause a DoS because it is much cheaper
> > on the client side than it is on the server side.
> That's pretty disingenuous. You can open lots of connections to a server and
> eventually the server will exhaust resources. Sigh....
> 
> I've got an improvement on the attack: use a botnet to have compromised
> hosts open one or two connections each to evade firewalls....

Well, yes, except that we've had mitigations for simple connection-flood DoS attacks since the mid-1990s (RED in 1993, SYN Cookies in 1996, and so on). Protocol-specific DoS attacks are more sophisticated and in general more difficult to defend against, so they merit separate discussion.

-- 
Michael Wojcik
Technology Specialist, Micro Focus



This message has been scanned for malware by Websense. www.websense.com


More information about the openssl-users mailing list