DoS attack on OpenSSL/0.9.7d?

Thu, 01 Jun 2006 09:33:19 -0700 

Hello,
I guess this is the right place for discussing possible denial of service (DoS) attacks for Apache, using mod_ssl, using OpenSSL, when there are OpenSSL messages emitted in the apache log files. Only the SSL interface is affected. If not, please ignore this message. 


So, I am running a Web server: Apache/1.3.31 (Unix) mod_ssl/2.8.19 
OpenSSL/0.9.7d mod_perl/1.29
The last days the HTTPS interface is practically inaccessible, while the 
HTTP works perfectly. I am afraid of a DoS attack.
- When connecting through browser (e.g. Firefox, IE), the connection is 
immediately dropped. It takes about 10 reloads for the page to be presented.
- When connected through the OpenSSL client, the most of the times but 
not always, we get:

~~~~~~~~~~~~~~~~~
$ openssl s_client -connect 10.254.254.18:443
CONNECTED(00000003)

371:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:226:    (occurred 6 times in a row)

~~~~~~~~~~~~~~~~~

(The connection is established directly to the Web server, not through 
the internet socket redirection deamon, in order to isolate the problem)




In the apache log files, the OpenSSL errors are three times more than 
the days before the problem occurred:

~~~~~~~~~~~~~~~~~
 (( 'Message type' => 'number of times occurred during the day' ))

'OpenSSL: 0B07C065:x509 certificate routines:X509_STORE_add_cert:cert 
already in hash table' => '31',
'OpenSSL: 1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number' => 
'12',
'OpenSSL: 140EC071:SSL routines:SSL2_READ_INTERNAL:bad mac decode [Hint: 
Browser still remembered details of a re-created server certificate?]' 
=> '9',
'OpenSSL: 140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 
[Hint: speaking not SSL to HTTPS port!?]' => '5',
'OpenSSL: 1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request 
[Hint: speaking HTTP to HTTPS port!?]' => '3',

'OpenSSL: 140BA041:SSL routines:SSL_new:malloc failure' => '8'

'OpenSSL: 1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad 
record mac' => '2',
'OpenSSL: 0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested 
asn1 error' => '1',
'OpenSSL: 0D06703A:asn1 encoding routines:a2i_ASN1_STRING:nested asn1 
error' => '1',

'OpenSSL: 0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag' => '1',
~~~~~~~~~~~~~~~~~

Do these patterns allow you to identify a known attack that exploits any 
known OpenSSL 0.9.7d vulnerabilities? Any other ideas?


Regards,
Kostas

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]














    











					Reply via email to