SSL/TLS Exhaustion Attacks are a type of application layer Distributed Denial of Service (DDoS) attack that targets the computational overhead of establishing encrypted connections.
How SSL/TLS Exhaustion Attacks Work
The SSL/TLS handshake is a multi-step process that involves key exchange, certificate validation, and encryption setup. This process is computationally expensive for the server but relatively lightweight for the client. Attackers take advantage of this asymmetry by sending a flood of SSL/TLS handshake requests, forcing the server to allocate resources for each handshake. In some cases, attackers deliberately fail to complete the handshake, keeping the server tied up with incomplete connections.
What SSL/TLS Exhaustion Attacks Look Like in Logs
1. High Volume of SSL/TLS Handshake Requests
A sudden spike in handshake requests overwhelms the server’s ability to process new connections.
Log Example (SSL/TLS Logs):
[Nov 21 17:15:01] 192.168.1.100: Handshake initiated, protocol: TLS 1.2
[Nov 21 17:15:01] 192.168.1.101: Handshake initiated, protocol: TLS 1.2
[Nov 21 17:15:01] 192.168.1.102: Handshake initiated, protocol: TLS 1.2
[Nov 21 17:15:01] 192.168.1.103: Handshake initiated, protocol: TLS 1.2
2. Incomplete Handshakes
Attackers may fail to complete the handshake, leaving the server with half-open SSL/TLS connections.
Log Example (Connection Monitoring Tools):
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 10 0 10.0.0.1:443 192.168.1.100:12345 SYN_RECV
tcp 10 0 10.0.0.1:443 192.168.1.101:12346 SYN_RECV
tcp 10 0 10.0.0.1:443 192.168.1.102:12347 SYN_RECV
3. Repeated Invalid Certificates
Attackers may use invalid or expired certificates to overload the server’s validation mechanisms.
Log Example (SSL/TLS Logs):
[Nov 21 17:16:01] Certificate validation failed: invalid issuer
[Nov 21 17:16:02] Certificate validation failed: expired certificate
[Nov 21 17:16:03] Certificate validation failed: invalid issuer