A German hacking group called The Hacker's Choice has released an attack tool called THC-SSL-DOS that it claims allows the resources of a single PC to take down a web server. What it essentially does is leverage on the fact that establishing a secure SSL connection takes significantly more processing power on the server than on the client.

In this vein, THC-SSL-DOS attempts to inundate a website with secure connection requests, with optimal results on servers that support SSL renegotiation--in which new handshakes are allowed over an existing SSL connection. THC claims that "a laptop on a DSL connection can challenge a server on a 30Gbit link," and "taking on larger server farms who make use of SSL Load balancer required 20 average size laptops and about 120kbit/sec of traffic." 

InfoWorld's Woody Leonhard is not impressed however, observing that SSL renegotiation was already "widely condemned" back in 2009. Indeed, most HTTPS sites today have SSL renegotiation turned off. Leonhard did caution however that some versions of popular web servers have it enabled by default, making it a good idea to double-check.

Other critics have pointed out that THC-SSL-DOS is technically a DDoS (distributed denial of service) tool, and not a DoS (denial of service) attack. Interestingly, at least one flustered reader has responded to the InfoWorld report by writing about being unable to replicate the results even against his "most puny platform."

For more on this story:
- check out this article at Web Host Industry Review
- check out this article at CSO
- check out this article at InfoWorld

Related Articles:
Botnet militia amassing for unknown purpose
The shape of cyberwar to come
Does arresting hackers help?