D(HE)ater is an attacking tool heating the CPU by enforcing DHE KEX in case of TLS and SSH

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for coroner from gravatar.com coroner

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache Software License (Apache-2.0)

Author: BalaSys IT Security

Maintainer: Szilárd Pfeiffer

Tags dhe, denial-of-service, tls, ssh

Classifiers

Project description

D(HE)ater

D(HE)ater is an attacking tool based on CPU heating in that it forces the ephemeral variant of Diffie-Hellman key exchange (DHE) in given cryptography protocols (e.g. TLS, SSH). It is performed without calculating a cryptographically correct ephemeral key on the client side, but with a significant amount of calculation on the server side. Based on this, a denial-of-service (DoS) attack attack can be initiated, called D(HE)at attack (CVE-2002-20001).

Quick start

D(HE)ater can be installed directly via pip from PyPi

pip install dheater
dheat --protocol tls ecc256.badssl.com
dheat --protocol ssh ecc256.badssl.com

or can be used via Docker from Docker Hub

docker pull balasys/dheater
docker run --tty --rm balasys/dheater --protocol tls ecc256.badssl.com
docker run --tty --rm balasys/dheater --protocol ssh ecc256.badssl.com

You can increase load by string extra threads.

dheat --thread-num 4 --protocol tls ecc256.badssl.com
docker run --tty --rm balasys/dheater --thread-num 4 --protocol tls ecc256.badssl.com
docker run --tty --rm balasys/dheater --thread-num 4 --protocol ssh ecc256.badssl.com

Mitigation

Configuration

Diffie-Hellman (DHE) key exchange should be disabled if no other mitigation mechanism can be used and either elliptic-curve variant of Diffie-Hellman (ECDHE) or RSA key exchange is supported by the clients. The fact that RSA key exchange is not forward secret should be considered.

TLS

Apache
SSLCipherSuite ...:!kDHE
NGINX
ssl_ciphers ...:!kDHE;
Postfix

  1. Diffie-Hellman key exchange algorithms can be removed by setting the tls_medium_cipherlist configuration option.

    tls_medium_cipherlist ...:!kDHE

  2. Maximal number of new TLS sessions that a remote SMTP client is allowed to negotiate can be controlled by configuration option smtpd_client_new_tls_session_rate_limit configuration option.

    smtpd_client_new_tls_session_rate_limit 100

Others

See moz://a SSL Configuration Generator for configuration syntax.

SSH

OpenSSH

  1. Diffie-Hellman key exchange algorithms can be removed by setting the KexAlgorithms configuration option.

    KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group1-sha256,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha256,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha512

  2. Maximum number of concurrent unauthenticated connections can be controlled by configuration option MaxStartups configuration option.

    MaxStartups 10:30:100

Fail2Ban

TLS

Apache

There are no relevant filters.

  1. apache-ssl.conf in fail2ban directory should be copied to the filter.d directory under the fail2ban configuration directory

  2. the followings should be added to the jail.local file in the fail2ban configuration directory

    [apache-ssl]

port    = https
logpath = %(apache_error_log)s
maxretry = 1
Postfix

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[postfix]
mode = ddos
Dovecot

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[dovecot]
mode = aggressive

or a specific filter can be used without changing the mode of dovecot.

  1. dovecot-ssl.conf in fail2ban directory should be copied to the filter.d directory under the fail2ban configuration directory

  2. the followings should be added to jail.local in tge fail2ban configuration directory

    [dovecot-ssl]

port    = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
maxretry = 1

SSH

OpenSSH

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[sshd]
mode = ddos

License

The code is available under the terms of Apache License Version 2.0. A non-comprehensive, but straightforward description and also the full license text can be found at Choose an open source license website.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for coroner from gravatar.com coroner

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache Software License (Apache-2.0)

Author: BalaSys IT Security

Maintainer: Szilárd Pfeiffer

Tags dhe, denial-of-service, tls, ssh

Classifiers

Release history Release notifications | RSS feed

0.4.3

0.4.2

0.4.1

0.4.0

0.3.2

0.3.1

0.3.0

This version

0.2.5

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

DHEater-0.2.5.tar.gz (15.0 kB view hashes)

Uploaded Source

Built Distribution

DHEater-0.2.5-py3-none-any.whl (12.5 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page