SSL Renegotiation DOS iRule - Updates

There’s been a lot of commentary on the previous post (SSL Renegotiation DOS – an iRule Countermeasure).  Here are some of the updates and corrections.

  • After the previous post went live, Jorge Orchilles called me with a clarification.  According to Jorge, the French group “Hacker’s Choice” posted their proof-of-concept tool prior to his posting to the IETF working group, not after. In fact, he said “THC released it in February: which is what initiated my research into it.”
  • According to Jorge’s blog (SSL Renegotiation DOS), other vendors have reported seeing this attack in the wild for over a year now. 
  • Recently one of our customers expressed to us that they are experiencing an SSL-related distributed attack.

This means that the attack is less theoretical than the previous post made it sound.

The iRule has received some scrutiny as well.  Jason Rahm had crafted a neat little algorithm that made interesting use of random numbers (as a lookup key) and tables (to keep a sliding window).  With an eye toward optimizing both CPU usage and per-flow memory, here is a version of the iRule that:

  • Uses the normal flow context instead of a random key.
  • Does away with the table and subtable, saving some memory.
  • Adds a log message (leave in or take out at your pleasure).

Thanks again go out to the DevCentral community, not only for helping with this iRule, but also for spreading the word (DevCentral Podast) about SSL attacks and our ability to very quickly deploy countermeasures like these.

when RULE_INIT {
    set static::maxquery
    set static::mseconds 60000
    set ssl_hs_reqs
    incr ssl_hs_reqs
    after $static::mseconds { if {$ssl_hs_reqs > 0} {incr ssl_hs_reqs -1} }
    if { $ssl_hs_reqs > $static::maxquery } {
        after 5000
        log "Handshake attack detected, dropping [IP::client_addr]:[TCP::client_port]"


Published May 16, 2011
Version 1.0

Was this article helpful?

1 Comment

  • We were trying to test this today and got a bit stuck. Is there an easy way to trigger say, 100 https sessions in a row? And where would the log be found -- can we specify the name? We were looking in /var/logs, but didn't see it show up in existing logs as we tried to trigger a test.


    We began analyzing this today, for we suddenly began to get these messages in the GUI, constantly from the orginal version of the rule...


    Mon Oct 14 13:05:15 CDT 2013 err LTM tmm[11044] 01220001 TCL error: /Common/irule_SSLRenegotiationDOSCountermeasure - can't read "flow": no such variable while executing "table delete -subtable reqrate:$flow -all"


    Mon Oct 14 13:05:17 CDT 2013 err LTM tmm1[11044] 01220001 TCL error: /Common/irule_SSLRenegotiationDOSCountermeasure - no serverside connection established (line 1) invoked from within "IP::server_addr"