> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Jeffrey Walton > Sent: Thursday, December 11, 2014 16:26 > To: OpenSSL Users List > Subject: Re: [openssl-users] CVE-2011-1473 fixed version > > > I wasn't involved at the time, but reading about it now CVE-2011-1473 > > essentially says (as I understand it) that if you fire lots of SSL > > handshakes at a server it could cause a DoS because it is much cheaper > > on the client side than it is on the server side. > That's pretty disingenuous. You can open lots of connections to a server and > eventually the server will exhaust resources. Sigh.... > > I've got an improvement on the attack: use a botnet to have compromised > hosts open one or two connections each to evade firewalls.... Well, yes, except that we've had mitigations for simple connection-flood DoS attacks since the mid-1990s (RED in 1993, SYN Cookies in 1996, and so on). Protocol-specific DoS attacks are more sophisticated and in general more difficult to defend against, so they merit separate discussion. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com
