GrigoryevSA / rfc5766-turn-server

Automatically exported from code.google.com/p/rfc5766-turn-server
0 stars 0 forks source link

Turnserver resource exhaustion via a TLS/SSL client-side renogiation attack. #136

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
The turn server is susceptible to a client side initiated TLS renegotiation 
attack.  This attack will consume all processor resources on the host which in 
turn effectively takes down the turn server.

This can be easily reproduced using the THC-SSL DoS tool from a single PC.

Currently using rfc5766-turn-server-3.2.4.1-1.1_1.0.7.2 on SLES 11 SP3 with 
OpenSSL 1.0.1h/i.

Other products are mitigating this attack vector, such as Apache, Nginx, IIS.  

Two possible solutions.  

1) Create a flag which enables/disables client side renegotiation.
2) Implement a limiter.  Nginx is a good example.  
http://nodejs.org/api/tls.html#tls_client_initiated_renegotiation_attack_mitigat
ion 

https://github.com/joyent/node/issues/2726

Original issue reported on code.google.com by bdotstad...@gmail.com on 4 Sep 2014 at 7:05

GoogleCodeExporter commented 8 years ago

Original comment by mom040...@gmail.com on 4 Sep 2014 at 7:20

GoogleCodeExporter commented 8 years ago
will be fixed in 3.2.4.4

Original comment by mom040...@gmail.com on 8 Sep 2014 at 8:29

GoogleCodeExporter commented 8 years ago

Original comment by mom040...@gmail.com on 9 Sep 2014 at 1:36

GoogleCodeExporter commented 8 years ago
Fixed in 3.2.4.4

Original comment by mom040...@gmail.com on 12 Sep 2014 at 6:33