Nexusguard Blog

Cybersecurity best practices and DDoS defence strategies

Latest Stories

Featured Stories

Nexusguard Product
By
January 31, 2023

Protecting against SSL/TLS Flood Attacks

With the vast majority of webpages worldwide loaded over HTTPS, protection against encrypted DDoS flood attacks is becoming increasingly critical to organizations. While traffic encryption is vital for protecting user privacy and maintaining data security, it also opens the door to a new breed of DDoS attacks. Encrypted connections require 15 times more resources from the destination server, allowing attackers to launch highly destructive attacks using only a relatively small number of connections, making it attractive to cyber criminals. 

 

SSL/TLS Renegotiation

 

HTTPS is a widely used extension to secure HTTP communication over a computer network. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), formerly Secure Sockets Layer (SSL). 

HTTPS uses an encryption protocol to encrypt communications through an asymmetric public key infrastructure that uses:

  • - Public keys for data encryption
  • - Private keys known only by the owner. For example, web servers use it to decrypt data encrypted by the public key
The TLS handshake is the most computationally intensive part of the process.

Starting a new handshake negotiation inside of an existing secure session is called renegotiation, which also takes place in the same TCP connection.

What is an SSL/TLS Flood Attack?

 

An SSL Flood or SSL Renegotiation attack takes advantage of the processing power needed to negotiate a secure TLS connection on the server side. It either sends copious amounts of garbage data to the server or constantly asks to renegotiate the connection, thus straining the server’s resources beyond its limits, ultimately knocking it offline.


SSL Flood Protection using Nexusguard Services

 

As part of its hybrid attack mitigation solution, Nexusguard offers unique proprietary mitigation services that support all common versions of SSL and TLS, and protect against all types of state exhaustion flood attacks.

 

Origin Protection (OP) Enhancements

Applicable only to the HTTPS protocol, Nexusguard Origin Protection provides added protection at the network layer to counter SSL session layer attacks, preventing target server connections and processing power from being impeded. With this enhancement, malformed requests are dropped immediately, while flow control is employed to limit the number of SSL/TLS handshakes during SSL renegotiation in order to ensure high server availability.


Figure 1 - SSLTLS Flood Protection using Nexusguard OPFigure 1 - SSL/TLS Flood Protection using Nexusguard OP

Application Protection (AP) Enhancements

With OP’s added protection against SSL flood attacks at the network layer, Nexusguard Application Protection is further boosted with an additional layer of defense in front of AppShield, ensuring malformed requests are instantly dropped. Furthermore, flow control is implemented to curb the number of SSL/TLS handshakes during SSL renegotiation, guaranteeing server availability, even during an attack. 

Figure 2 - SSLTLS Flood Protection using Nexusguard AP

Figure 2 - SSL/TLS Flood Protection using Nexusguard AP

 

Continuous enhancements made to Nexusguard Application Protection and Origin Protection provide full, scalable, lowest latency protection against SSL/TLS encrypted attacks. For full comprehensive protection against a multitude of DDoS attack types, Nexusguard Application Protection is highly recommended for enterprises and service providers who wish to protect valuable assets.  

 

 

 

For further information, please read about Nexusguard’s Application Protection and Origin Protection services.