• Skip to main content
  • Skip to primary sidebar

DDoS Blog

Cyber Security News

What are SSL-based DDoS Attacks and How to Mitigate Them

April 20, 2018 By TheNewsTeam

SSL (Secure Sockets Layer) is a standard security protocol used to establish encrypted links between a browser and server in online communication. Using SSL technology means that all data transmitted between server and browser is encrypted. A SSL or TLS (Transport Layer Security) certificate is a data file that binds a cryptographic key to a specific organization. When a SSL or TLS certificate is installed on a web server, it enables a secure connection between the web server and the browser that is connected to it.

SSL-based DDoS attacks can be divided into two: (i) protocol misuse attacks, which exploit the use of the SSL protocol and can cause DDoS by not allowing the completion of a secure connection; and (ii) SSL traffic floods when data is being passed over the created secure channel.

SSL-based DDoS attacks are growing in number with encrypted traffic accounting for 25-35% of all inbound and outbound Internet traffic, according to Radware. Organizations are turning to encryption in part because of industry trends such as migration to the cloud, in addition to the fact that the new HTTP/2 Internet protocol mandates the use of encryption in the communication between browser and server.

As encrypted connections rise, the need for SSL inspection and SSL protection solutions becomes increasingly relevant. One in every four web-based DDoS attack is encrypted, requiring a high capacity mitigation solution.

DDoS protection services cannot analyse and filter a company’s traffic unless (i) the protection service has the key to decrypt it, as is common with large companies who typically already have their infrastructure managed by third parties, or (ii) the protection service locates one of its products on the client’s network, the purpose of which is solely to deliver content via SSL and send all traffic in plaintext back to the DDoS protection service, which in turn will filter only the legitimate traffic through to the company’s internal webservers.

Either approach works, although there are often security concerns around the first. Passing on your encrypted key to a third party does require replacing at least some technical control with contractual control, generating greater oversight/audit responsibilities over the third party. Mitigating against the third party potentially misusing the key can be prepared for in this way. Some companies, such as Prolexic, have recently developed solutions in which they receive temporary short-lived keys.

Ultimately, it comes down to the reputation and trust you can place in a DDoS protection service to manage their relationship to your encrypted content. Check their compliance and regulatory policies in detail before entering into a relationship.

Filed Under: Mitigation Techniques, SSL-based DDoS Tagged With: cloud, DDoS mitigation, DDoS protection service, encryption, HTTP/2 Internet protocol, Prolexic, Radware, SSL, SSL certificate, SSL DDoS, SSL mitigation, TLS, TLS certificate

Primary Sidebar

Directory

  • Accidental DDoS
  • Akamai
  • Arbor Cloud
  • Business Rivalry DDoS
  • China Unicom
  • Cloud Computing
  • Cloudflare
  • Corero Network Security
  • DDoS Case Studies
  • DDoS Foundations
  • DDoS History
  • DDoS Landscape
  • DDoS mitigation
  • DDoS Motivation
  • DDoS Protection Services
  • DDoS Scripts
  • DDoS Tools
  • DNS Amplification
  • DNS Flood
  • DoSarrest
  • Extortion DDoS
  • F5 Networks
  • Genie Networks
  • Google
  • Government
  • Hacktivist DDoS
  • HTTP Attack
  • ICMP Flood
  • Imperva Incapsula
  • Infrastructure-related attacks
  • IoT DDoS
  • IP Fragmentation Attack
  • IP Null Attack
  • Kentik
  • LAND attack
  • MemCached DDoS
  • Mitigation Techniques
  • Multi-vector Attack
  • Nation State DDoS
  • Neustar
  • Nexusguard
  • NTP Amplification Attack
  • Null Routing
  • PING Flood
  • Ping of Death
  • Random Recursive GET attack
  • Recursive GET attack
  • Reflection Attack
  • Script Kiddies DDoS
  • Slowloris
  • Slowloris
  • Smokescreen DDoS
  • Specially Crafted DDoS
  • SSL-based DDoS
  • SYN Floods
  • SYN-ACK Flood
  • Types of Attack
  • Types of Mitigation
  • UDP Flood
  • Uncategorized
  • Verisign
  • Verizon
  • XML-DoS
  • Zero-day DDoS Attack
Copyright © 2017 Disclaimer. Privacy Policy
All product names, logos, and brands are property of their respective owners.