tags:

views:

27

answers:

1
Q: 

Troubleshooting an SSL flood

Users connect to our webserver via https, and stay on a secured connection throughout their use of our service. A typical user session will establish a small handful of connections to the server (one or two).

There are a very small number of exceptions we are trying to track down. Particular users will intermittently have handfuls of hundreds of connections established. When we happen to catch the problem in the act, we can see the exchange of the SSL handshake, and from the perspective of the server, all appears to be in order. Yet we never observe a payload - the client instead connects on a new port and initiates a new handshake.

We do not have access to the client, and cannot observe the behavior from that side of the connection. Nor do we have a local scenario that can reproduce the problem.

It is our belief (though not confirmed) that the user agent is connecting to our server directly, and not through a proxy.

Does anybody recognize these symptoms? Can anyone suggest steps to further identify the problem?

A: 

Are there any patterns you can see to this traffic, aside from making many repeated requests?

For example, do the requests come from the same IP ranges? Possibly search engines or other spiders, or maybe from countries that you normally don't get users from, possibly indicating some sort of weird botnet or at least something you could block?

Do these rogue requests always negotiate to use a particular cipher suite, potentially indicating the client software?
Does it make any difference if you change the available cipher suites available for negotiation?

What server software are you using, and are there any firewalls within your network that could potentially be dropping some responses to the user?

Christopher  2010-01-06 23:10:28
At the moment, there's one specific IP address where this problem occurs ("the client"), although we have seen similar patterns from other isolated instances. We haven't found any method to the madness - thus far, the only observed difference is that the rogue requests appear.The thoughts on cipher suites are a good one - they aren't any different for this client than other clients which are consistently normal. I don't believe that changing the available cipher suites is an option in our production environment.
VoiceOfUnreason  2010-01-06 23:42:18

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL