sslsqueeze_rx - A signature-based iRule countermeasure for the SSL handshake attack tool sslsqueeze

Contributed by: David Holmes

Description

Ideally, when faced with an SSL handshake attack, you would use the ssl_hx_rlimit iRule, which enforces good SSL behavior on the clients. However, there are cases where that iRule won’t work. For example, if the attacker is mixing their bogus requests in with other valid requests from the same mega-proxy.
There may be other pathological cases as well where the ssl_hx_rlimit fails and you just need a quick fix to throw in place. The sslsqueeze_rx iRule is that quick fix.
It has these benefits:
  • Extremely fast.
  • No additional memory requirements.
  • Can handle the mega-proxy cases.

But also this main drawback:
  • Very easy for an attacker to change the attack signature.

sslsqueeze_rx works because the sslsqueeze tool sends the exact same ClientHello every time.
16030000310100002d03${lz}6000a0004002f0100
where $lz is 71 zeros
Therefore, all a signature-based system has to do is look for this incoming packet and block the connection. If the attacker changes the ClientHello at all then you’d have to modify the static::sxch to represent the new signature. A determined attacker would be including random data in the 32 bytes of random data in the ClientHello anyway. If that were the case you could still key off the three specific ciphers that sslsqueeze is sending if you needed to.

iRule Source

# ssl_squeeze_rx
#
# iRule to deflect sslsqueeze attack. Very specific to initial version of sslsqueeze
# POC code. An attacker could modify sslsqueeze to get around this detector.
#
# David Holmes <d.holmes @ f5.com>
#
proc debugmsg { str } {
    if { $static::debug_me } {
        log local0.info $str
    }
}

when RULE_INIT {
    # log debug info?
    set static::debug_me false

    # this is what the sslsqueeze client hello looks like
    # there are 71 zeros between the 03 and 60 in the 2-byte hexstring below
    set lz [string repeat 0 71]
    set static::sxch  "16030000310100002d03${lz}6000a0004002f0100"
}

when CLIENT_ACCEPTED {
    TCP::collect 54
}

when CLIENT_DATA {
    binary scan [TCP::payload] H* ch
    if { $ch eq $static::sxch } {
        call debugmsg "Looks like sslsqueeze, rejecting connection from [IP::client_addr]:[TCP::client_port]"
        reject
    }
    else {
        TCP::release
    }
}

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.