Requesting a secure connection from a server is a simple task for a client. However, the server providing that secure connection needs to use a large amount of processing power. An SSL flood or renegotiation attack takes advantage of this asymmetric workload by requesting a secure connection, and then renegotiating that relationship. These are two simple processes for the client that require a lot of computing power on the server end.
An F5 customer was the original target of this type of attack. The F5 field services team was able to repel the large and coordinated attack using the BIG-IP system and the F5 iRules scripting language.
Now available via the F5 DevCentral online community, this iRule states that if a device tries to renegotiate more than five times in any 60-second period, the connection is silently dropped.
The biggest benefit to this approach is that the attacker believes the attack is still working and in service, when in actuality, the server has ignored the request and moved on to processing valid user requests instead.