Can Heartbleed be used in DDoS attacks?

Jeffrey A. Lyon, CISSP-ISSMP, founder of Black Lotus Communications

With nearly every major threat to information security, it is not long before security experts ask the question, "Can the threat play a role in distributed denial of service (DDoS) attacks?" When it comes to Heartbleed, some people are screaming that the sky is falling, but it is more complicated than that.

Software vulnerabilities can cause an amplification condition that allows attackers to use unsecured systems in the commission of a DDoS attack. For instance, earlier this year a major vulnerability was discovered in the network time protocol (NTP) daemon, which allowed an attacker to spoof a request. This resulted in an amplification factor that caused as much as 400 times the data to be sent by the vulnerable server back to the spoofed IP address, the target of a DDoS attack.

This is more specifically known as a distributed reflection denial of service (DrDoS) attack. Any uniform datagram protocol (UDP) service, such as NTP or DNS, can be used in these types of attacks if the service is public facing, responds to requests by sending more data than was used in making the request, and does not have any other mechanism for detecting and discarding malicious requests.  

How does this relate to Heartbleed?

The Heartbleed vulnerability, more appropriately called CVE-2014-0160, makes use of a flaw in OpenSSL 1.0.1 prior to the 1.0.1g revision, which allows an attacker to steal 64 kilobytes of data from server memory using a transport layer security (TLS) HeartbeatRequest message. This is accomplished by spoofing the size of the HeartbeatRequest message and causing the vulnerable server to make up the difference by pulling random data from memory. It is the digital equivalent of short-changing a cashier, only in this case it is confidential data, such as SSL private keys and login credentials that are stolen.

It would not be unreasonable to assume that spoofing the size of a HeartbeatRequest message would result in an amplified response that one could use in a DDoS attack. One person, for example, Tweeted: "Want more terrible #heartbleed news? Probably can be used as a massive DDoS amplification vector. Yay!"

Unfortunately, the poster did not expound on the threat, other than Tweeting a follow up that an amplification condition may exist with a factor of 3,000, leaving many to wonder about the possibilities while contemplating the devastation if such an attack were even remotely feasible.

Are we in danger?

Many have responded that this is not possible because TLS is used exclusively with the transport control protocol (TCP) that is stateful, meaning a session must be established between the client and server before the server can send data such as HeartbeatResponse messages.

1  2  3  Next Page