Skip to content

Commit

Permalink
chore(README)!: Move mitigation information to project's webpage
Browse files Browse the repository at this point in the history
  • Loading branch information
@c0r0n3r
c0r0n3r committed Dec 27, 2023
1 parent 1090ee5 commit cf5f7ad
Showing 1 changed file with 3 additions and 322 deletions.
325 changes: 3 additions & 322 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,327 +1,8 @@
# D(HE)ater

D(HE)ater is an attacking tool based on CPU heating in that it forces the ephemeral variant of
[Diffie-Hellman key exchange](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange) (DHE) in given
cryptography protocols (e.g. TLS, OpenVPN, SSH). It is performed without calculating a cryptographically correct
ephemeral key on the client-side, but with a significant amount of calculation on the server-side. Based on this,
a [denial-of-service (DoS) attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) can be initiated,
called [D(HE)at attack](https://dheatattack.com)
([CVE-2002-20001](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-20001)).

## Quick start

D(HE)ater can be installed directly via [pip](https://pip.pypa.io/en/stable/) from
[PyPi](https://pypi.org/project/dheater/)

```shell
pip install dheater
dheat --protocol tls ecc256.badssl.com
dheat --protocol ssh ecc256.badssl.com
```

or can be used via [Docker](https://www.docker.com/) from
[Docker Hub](https://hub.docker.com/repository/docker/coroner/dheater)

```shell
docker pull coroner/dheater
docker run --tty --rm coroner/dheater --protocol tls ecc256.badssl.com
docker run --tty --rm coroner/dheater --protocol tls openvpn://vpn.example.com
docker run --tty --rm coroner/dheater --protocol tls openvpntcp://vpn.example.com:443
docker run --tty --rm coroner/dheater --protocol ssh ecc256.badssl.com
```

You can increase load by string extra threads.

```shell
dheat --thread-num 4 --protocol tls ecc256.badssl.com
docker run --tty --rm coroner/dheater --thread-num 4 --protocol tls ecc256.badssl.com
docker run --tty --rm coroner/dheater --thread-num 4 --protocol tls openvpn://vpn.example.com
docker run --tty --rm coroner/dheater --thread-num 4 --protocol tls openvpntcp://vpn.example.com:443
docker run --tty --rm coroner/dheater --thread-num 4 --protocol ssh ecc256.badssl.com
```

## Check

Without attacking a server or accessing its configuration it is still possible
to determine whether Diffie-Hellman (DH) key exchange is enabled and if so what
DH parameters (prime, generator, key size) are used. Command line tools such as
[CryptoLyzer](https://gitlab.com/coroner/cryptolyzer) (TLS, OpenVPN, SSH KEX/GEX),
[testssl.sh](https://testssl.sh) (TLS only), or
[ssh-audit](https://github.com/jtesta/ssh-audit) (SSH KEX only) can do that work.

### TLS

```shell
cryptolyze tls1_2 dhparams example.com
cryptolyze tls1_3 dhparams example.com

testssl.sh --fs example.com
```

### OpenVPN

```shell
cryptolyze tls1_2 dhparams openvpn://vpn.example.com
cryptolyze tls1_3 dhparams openvpn://vpn.example.com

cryptolyze tls1_2 dhparams openvpntcp://vpn.example.com:443
cryptolyze tls1_3 dhparams openvpntcp://vpn.example.com:443
```

### SSH

```shell
cryptolyze ssh2 dhparams example.com

ssh-audit example.com
```

## Mitigation

### Configuration

Diffie-Hellman (DHE) key exchange should be disabled if no other mitigation mechanism can be used and either
elliptic-curve variant of Diffie-Hellman (ECDHE) or RSA key exchange is supported by the clients. The fact that RSA key
exchange is not forward secret should be considered.

#### TLS

Elliptic-curve (named group) setting is necessary only if the underlying cryptographic library supports negotiation
Diffie-Hellman groups by implementing [RFC7919](https://www.rfc-editor.org/info/rfc7919) in TLS 1.2 or supporting the
[Finite Field Diffie-Hellman parameter groups](https://www.rfc-editor.org/rfc/rfc8446#section-7.4.1) named groups in
TLS 1.3.

| Library | Version | FFDHE goups<br>in TLS 1.2 | FFDHE groups<br>in TLS 1.3 |
| ------- |:-------:|:---:|:---:|
| OpenSSL | < 3.0 | no | no |
| OpenSSL | ≥ 3.0 | no | yes |
| GnuTLS | ≥ 3.5.6 | yes | no |
| GnuTLS | ≥ 3.6.3 | yes | yes |

##### Apache

```apache
SSLCipherSuite ...:!kDHE
SSLOpenSSLConfCmd Groups x25519:secp256r1:x448
```

##### NGINX

```nginx
ssl_ciphers ...:!kDHE;
ssl_ecdh_curve x25519:secp256r1:x448;
```

##### Postfix


1. Diffie-Hellman key exchange algorithms can be removed by setting the [tls_medium_cipherlist](http://www.postfix.org/postconf.5.html#tls_medium_cipherlist) configuration option.

```
tls_medium_cipherlist ...:!kDHE
```
1. Maximal number of new TLS sessions that a remote SMTP client is allowed to negotiate can be controlled by configuration option [smtpd_client_new_tls_session_rate_limit](http://www.postfix.org/postconf.5.html#smtpd_client_new_tls_session_rate_limit) configuration option.
```
smtpd_client_new_tls_session_rate_limit 100
```
##### Others
See [moz://a SSL Configuration Generator](https://ssl-config.mozilla.org/) for configuration syntax.
##### DH parameter files
If DH key exchange need to be supported recommended private key length value
should be set to ensure the best performance of DH key exchange this option
value should be set appropriately to achieve the best performance without a
security risk.
You can check whether you DH parameter file contains the recommended private
key value by the following command:
```shell
dh_param_priv_key_size_setter /path/to/dh/parameter/file.pem
```

The result looks like the following. If the original private key size is
`None` it some cryptographic libraries use the public size for private key
size unless the application server overrides this behaviour. This will cause
much lower performance than small private keys would be used.

```
Original private key size: None
Set private key size: None
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
```

To set the recommended private key size in a DH parameter file use the
following commmand:

```
dh_param_priv_key_size_setter --private-key-size KEY_SIZE /path/to/dh/parameter/file.pem
```

For appropriately private key sizes see Table 2 of
[NIST SP 800-57 Part 1](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf).
Alternatively you can download the well-know DH parameters where the recommended
private key size is set according to OpenSSL default values from
[data](https://gitlab.com/dheatattack/dheater/-/tree/master/data) directory.

### SSH

##### OpenSSH

1. Diffie-Hellman key exchange algorithms can be removed by setting the [KexAlgorithms](https://man.openbsd.org/sshd_config#KexAlgorithms) configuration option.

```
KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group1-sha256,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha256,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha512
```
1. Maximum number of concurrent unauthenticated connections can be controlled by some configuration options
* [MaxStartups](https://man.openbsd.org/sshd_config#MaxStartups) (globally)
```
MaxStartups 10:30:100
```
* [PerSourceMaxStartups](https://man.openbsd.org/sshd_config#PerSourceMaxStartups) (per source IP subnetworks)
```
PerSourceMaxStartups 1
```
* [PerSourceNetBlockSize](https://man.openbsd.org/sshd_config#PerSourceNetBlockSize) (size of the subnetworks grouped together)
```
PerSourceNetBlockSize 32:128
```
### VPN
#### OpenVPN
1. Diffie-Hellman key exchange algorithms can be removed in TLS versions prior to 1.2 by setting the
[tls-cipher](https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html) configuration option.
* using OpenSSL
```
tls-cipher ...:!kDHE
```
* using mbed TLS any cipher suites contain DHE should be removed
1. Finite field Diffie-Hellman groups can be removed in TLS version 1.3 by setting the
[tls-groups](https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html) configuration option.
```
tls-groups x25519:secp256r1:x448
```
1. Control channel can be authentticated and/or encrypted by setting the tls-auth, tls-crypt, tls-crypt-v2
[configuration options](https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html).
```
tls-auth file
tls-crypt file
tls-crypt-v2 file
```
#### IPsec
##### StrongSwan
1. Diffie-Hellman key exchange algorithms can be removed by setting the [ike](https://linux.die.net/man/5/ipsec.conf)
configuration option explicitly and not using key exchange algorithms which name start with `modp`.
1. Maximum number of unauthenticated connections can be controlled by some configuration options
* [cookie\_threshold](https://docs.strongswan.org/strongswan-docs/5.9/config/strongswanConf.html) (activate
[cookie](https://datatracker.ietf.org/doc/html/rfc5996#section-2.6) mechanism)
```
cookie_threshold 10
```
* [block\_threshold](https://docs.strongswan.org/strongswan-docs/5.9/config/strongswanConf.html) (activate block mechanism)
```
block_threshold 5
```
### Fail2Ban
#### TLS
##### Apache
There are no relevant filters.
1. `apache-ssl.conf` in `fail2ban` directory should be copied to the `filter.d` directory under the fail2ban configuration
directory
1. the followings should be added to the `jail.local` file in the fail2ban configuration directory
```ini
[apache-ssl]
port = https
logpath = %(apache_error_log)s
maxretry = 1
```
##### Postfix
There is a relevant filter, but it is applied only in ddos mode. The followings should be added to `jail.local`.
```ini
[postfix]
mode = ddos
```

##### Dovecot

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to `jail.local`.

```ini
[dovecot]
mode = aggressive
```

or a specific filter can be used without changing the mode of dovecot.

1. `dovecot-ssl.conf` in `fail2ban` directory should be copied to the `filter.d` directory under the fail2ban configuration
directory
1. the followings should be added to `jail.local` in tge fail2ban configuration directory

```ini
[dovecot-ssl]

port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
maxretry = 1
```

#### SSH

##### OpenSSH

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to `jail.local`.

```ini
[sshd]
mode = ddos
```
D(HE)ater is the proof-of-concept implementation of the [D(HE)at attack](http://dheatattack.gitlab.io)
([CVE-2002-20001](https://nvd.nist.gov/vuln/detail/CVE-2002-20001)). For further information vist
[PoC code section of the project page](https://dheatattack.gitlab.io/dheater).

## License

Expand Down

0 comments on commit cf5f7ad

Please sign in to comment.