Recently it was a news on SecurityFocus.com about massive DDoS attack by flooding CIA, PayPal and hundreds of other organizations website by requesting for connection over SSL as follow:
CIA, PayPal under bizarre SSL assault
Dan Goodin, The Register 2010-02-01
The Central Intelligence Agency, PayPal, and hundreds of other organizations are under an unexplained assault that’s bombarding their websites with millions of compute-intensive requests.
The “massive” flood of requests is made over the websites’ SSL, or secure-sockets layer, port, causing them to consume more resources than normal connections, according to researchers at Shadowserver Foundation, a volSSL assault & my opinionunteer security collective. The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo.
“What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses,” Shadowserver’ Steven Adair wrote. “This might be a big deal if you’re used to only getting a few hundred or thousands of hits a day or you don’t have unlimited bandwidth.”
Shadowserver has identified 315 websites that are the recipients of the SSL assault. In addition to cia.gov and paypal.com, other sites include yahoo.com, americanexpress.com, and sans.org.
It’s not clear why Pushdo has unleashed the torrent. Infected PCs appear to initiate the SSL connections, along with a bit of junk, disconnect and then repeat the cycle. They don’t request any resources from the website or do anything else.
“We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn’t quite look like a DDoS either,” Adair wrote.
Security mavens aren’t sure what targeted sites can do to thwart the attacks. Changing IP addresses may provide a temporary reprieve. Adair asks those with better mitigation techniques to contact him. The Shadowserver advisory is here.
I do believe, there is another solution to address this kind of attack. As you are aware, the connection requests have been generated by bots, not the user’s browsers. Therefore, by detecting the type of browser we will be able to detect the bot requests. This kind of detection and mitigation is much easier to perform instead of changing IP addresses. This kind of feature should be added to the firewalls.