SSL/TLS Exhaustion Attack

An SSL/TLS Exhaustion Attack is a form of Distributed Denial-of-Service (DDoS) attack that targets the computational cost of establishing Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connections. Rather than exploiting software vulnerabilities, this attack abuses the resource-intensive nature of the SSL/TLS handshake process to exhaust server-side resources, rendering services unresponsive.

How It Works

When a client initiates a secure connection to a server using HTTPS (which relies on SSL/TLS), the handshake process includes several steps:

  • Key exchange

  • Authentication

  • Cipher agreement

  • Session setup


This process is computationally expensive, particularly when using public-key cryptography (e.g., RSA or ECC). Each new connection requires the server to perform CPU-intensive operations.

In an SSL Exhaustion Attack, the attacker floods the target server with a large number of SSL handshake requests—often with incomplete, slow, or malformed connections. The server attempts to process each handshake, which consumes CPU, memory, and thread pool resources. Legitimate user connections are then delayed or dropped due to resource depletion.


Attackers may use tools or botnets to scale the attack, making it harder to distinguish legitimate clients from malicious ones.

Types of SSL Exhaustion Techniques

  1. Full SSL Handshake Flood:

    • Each bot completes full handshakes with high frequency, exhausting CPU and thread pools.

  2. Partial or Slow Handshakes:

    • Attackers initiate handshakes but delay or never complete them, tying up server resources longer.

  3. SSL Renegotiation Abuse:

    • Repeatedly requesting renegotiation within an existing connection, forcing new key computations.

  4. Certificate Flooding:

    • Repeated handshake attempts requesting complex or uncommon cipher suites to maximize server workload.

Impact

  • Service Unavailability: Target server may become unable to handle legitimate requests.

  • Resource Starvation: High CPU usage, thread pool exhaustion, and memory consumption.

  • Security Device Degradation: Devices like SSL offloaders, WAFs, or load balancers can also be overwhelmed.

  • Reputation Damage: Affected services can suffer from downtime and loss of user trust.

Detection and Mitigation

  • Rate Limiting: Restrict the number of new SSL/TLS handshakes per IP over time.

  • Connection Timeouts: Set aggressive timeouts for incomplete or slow handshakes.

  • SSL Offloading: Use dedicated hardware (e.g., Application Delivery Controllers) to offload SSL processing.

  • Behavioral Analysis: Monitor for anomalous handshake patterns or cipher suite requests.

  • CAPTCHA & Bot Detection: Enforce human validation at the application layer before SSL initiation.

  • Adoption of TLS 1.3: Transitioning to TLS 1.3, which has a more efficient handshake process, can mitigate some attack vectors. 

Common Targets

  • HTTPS web servers

  • Load balancers and reverse proxies

  • SSL offloading appliances

  • API gateways and authentication servers


by Sergei Penchuk, CISSP

Popular posts from this blog

Startups Need to Cyber Up as Early as Pre-Seed!

Startups Need to Cyber Up as Early as Pre-Seed! 10 Cyber Takeaways for Early-Stage Startups to Win New Customers You start with a great idea, a talented team, and a sharp market fit. You decide to launch a startup venture to fulfill this passion. Fun! If you just got started—congrats! You’re in the Pre-Seed stage. As early as this stage may be, here are our top cybersecurity decisions you should be making to set yourself apart from the crowd and grow your appeal to venture capitalists and customers alike! Create a Security and Privacy Policy Creating a security and privacy policy for your company and adding it to your website will position you as a mature organization that takes security risks seriously. This shouldn’t be a pricey task—consider seeking direction from AI tools. Scan Your Code With SAST and SCA Tools It’s a small effort that allows you to spot security issues early in development. You can use a free tier from vendors like Snyk or CodeQL from GitHub. Mind Your Tech Co...
Read more

When 35 Seconds of DDoS Can Cost You Millions

  In April 2025, Adyen, a leading global payment platform, experienced a series of sophisticated Distributed Denial-of-Service (DDoS) attacks that disrupted services across Europe. The attacks, occurring in three waves throughout the evening of April 21st, targeted Adyen's European data centers, leading to significant transaction failures and delays for customers. ​ These incidents underscore a growing trend in cyber threats: brief, high-intensity DDoS attacks designed to overwhelm systems before traditional mitigation strategies can respond effectively. ​ The Evolving Nature of DDoS Attacks Historically, DDoS attacks were prolonged events, giving security teams time to react and implement countermeasures. However, recent data indicates a shift towards shorter, more intense attacks. Cloudflare's Q1 2025 DDoS Threat Report revealed that the company mitigated 20.5 million DDoS attacks in just the first quarter, nearly matching the total number for all of 2024.   These h...
Read more

DDoS Attacks on Enterprises Surge

 Large-Scale Assaults Demand High Sophistication and Vast Botnets “The weakest point in the enemy’s position must be sought out and attacked with the greatest determination.” Carl von Clausewitz DDoS attacks exploit two main concepts: Focus – Find a vulnerability on the victim’s side and direct all of your attack power toward it. Amplification – Use resources from other hosts on the internet to boost your attack. There are mainly four types of DDoS attacks: Volume, Infrastructure (protocol), Application, and Advanced . Volume attacks are fairly simple—many machines worldwide send large amounts of data to the target, saturating its bandwidth. It’s one of the most mature and well-known attack types, and many vendors are adept at mitigating it. High traffic volume is typically achieved by amplifying requests through vulnerable servers on the internet that rely on the stateless UDP protocol. These servers accept a small request from the attacker but respond with large data packets...
Read more