D(HE)ater is a security tool can perform DoS attack by enforcing the DHE key exchange.

Related tags

Third-party APIs Wrapperstlssshdenial-of-serviceoverloadingdiffie-hellman-algorithmdhediffie-hellman-exchange
Overview

D(HE)ater

D(HE)ater is an attacking tool based on CPU heating in that it forces the ephemeral variant of Diffie-Hellman key exchange (DHE) in given cryptography protocols (e.g. TLS, SSH). It is performed without calculating a cryptographically correct ephemeral key on the client side, but with a significant amount of calculation on the server side. Based on this, D(HE)ater can initiate a denial-of-service (DoS) attack.

Quick start

D(HE)ater can be installed directly via pip from PyPi

pip install dheater
dheat --protocol tls ecc256.badssl.com
dheat --protocol ssh ecc256.badssl.com

or can be used via Docker from Docker Hub

docker pull balasys/dheater
docker run --tty --rm balasys/dheater --protocol tls ecc256.badssl.com
docker run --tty --rm balasys/dheater --protocol ssh ecc256.badssl.com

You can increase load by string extra threads.

dheat --thread-num 4 --protocol tls ecc256.badssl.com
docker run --tty --rm balasys/dheater --thread-num 4 --protocol tls ecc256.badssl.com
docker run --tty --rm balasys/dheater --thread-num 4 --protocol ssh ecc256.badssl.com

Mitigation

Configuration

Diffie-Hellman (DHE) key exchange should be disabled.

TLS

Apache
SSLCipherSuite ...:!kDHE
NGINX
ssl_ciphers ...:!kDHE;
Others

See moz://a SSL Configuration Generator for configuration syntax.

SSH

OpenSSH
KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group1-sha256,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha256,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha512

Fail2Ban

TLS

Apache

There are no relevant filters.

  1. apache-ssl.conf in fail2ban directory should be copied to the filter.d directory under the fail2ban configuration directory
  2. the followings should be added to the jail.local file in the fail2ban configuration directory
[apache-ssl]

port    = https
logpath = %(apache_error_log)s
maxretry = 1
Postfix

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[postfix]
mode = ddos
Dovecot

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[dovecot]
mode = aggressive

or a specific filter can be used without changing the mode of dovecot.

  1. dovecot-ssl.conf in fail2ban directory should be copied to the filter.d directory under the fail2ban configuration directory
  2. the followings should be added to jail.local in tge fail2ban configuration directory
[dovecot-ssl]

port    = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
maxretry = 1

SSH

OpenSSH

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[sshd]
mode = ddos

License

The code is available under the terms of Apache License Version 2.0. A non-comprehensive, but straightforward description and also the full license text can be found at Choose an open source license website.

Comments
  • not able to use

    not able to use

    Hello,

    I'm very new to this cybersecurity field Please anyone help me out with this problem. ### Note I have replace website name with ConfidentialWebsite.com

    When I use tls protocol I'm getting this error :-

    dheat --protocol tls ConfidentialWebsite.com Traceback (most recent call last): File "/usr/local/bin/dheat", line 8, in sys.exit(main()) File "/usr/local/lib/python3.9/dist-packages/dheater/main.py", line 512, in main enforcer = DHEnforcerThreadTLS(args.uri, args.timeout, pre_check_result) File "", line 14, in init File "/usr/local/lib/python3.9/dist-packages/dheater/main.py", line 125, in attrs_post_init self._pre_check() File "/usr/local/lib/python3.9/dist-packages/dheater/main.py", line 390, in _pre_check if is_tls_1_3: NameError: name 'is_tls_1_3' is not defined

    When I use ssh protocol I'm getting this error :-

    dheat --protocol ssh ConfidentialWebsite.com
    Network error oocuerd while checking whether Diffie-Hellman ephemeral (DHE) key exchange is supported by the server; uri="ConfidentialWebsite.com", error="connection to target cannot be established"

    AddText_02-02-08 37 54

    bug 
    opened by souravkr529 5
  • It does not run from docker image

    It does not run from docker image

    I have ran the mentioned command: docker run --tty --rm balasys/dheater --protocol ssh ecc256.badssl.com andresulted the following error:

    #docker run --tty --rm balasys/dheater --thread-num 4 --protocol ssh ecc256.badssl.com
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/common/transfer.py", line 139, in _init_connection
    self._socket = socket.create_connection((self.ip, self.port), self.timeout)
  File "/usr/local/lib/python3.9/socket.py", line 844, in create_connection
    raise err
  File "/usr/local/lib/python3.9/socket.py", line 832, in create_connection
    sock.connect(sa)
socket.timeout: timed out
 
The above exception was the direct cause of the following exception:
 
Traceback (most recent call last):
  File "/usr/local/bin/dheat", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 258, in main
    enforcer = DHEnforcerThreadSSH(args.uri, args.timeout, pre_check_result)
  File "<attrs generated init dheater.__main__.DHEnforcerThreadBase>", line 15, in __init__
  File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 89, in __attrs_post_init__
    self._pre_check()
  File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 117, in _pre_check
    self.pre_check_result = analyzer.analyze(self._get_client())
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/ssh/dhparams.py", line 111, in analyze
    analyzer_result = AnalyzerCiphers().analyze(analyzable)
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/ssh/ciphers.py", line 80, in analyze
    server_messages = analyzable.do_handshake(last_message_type=SshMessageCode.KEXINIT)
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/ssh/client.py", line 111, in do_handshake
    self.init_connection()
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/common/transfer.py", line 251, in init_connection
    self._init_connection()
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/ssh/client.py", line 102, in _init_connection
    self.l4_transfer.init_connection()
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/common/transfer.py", line 73, in init_connection
    self._init_connection()
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/common/transfer.py", line 142, in _init_connection
    six.raise_from(NetworkError(NetworkErrorType.NO_CONNECTION), e)
  File "<string>", line 3, in raise_from
cryptolyzer.common.exception.NetworkError: connection to target cannot be established
    opened by V0072 5
  • Errors trying to connect to target

    Errors trying to connect to target

    @c0r0n3r I can provide wireshark if needed in order to understand why the script fails despite having communication.

    Output: C:\Users\t>dheat --protocol tls gw.t.local Network error oocuerd while checking whether Diffie-Hellman ephemeral (DHE) key exchange is supported by the server; uri="gw.t.local", error="connection to target cannot be established"

    C:\Users\t>dheat --protocol tls gw.t.local Network error oocuerd while checking whether Diffie-Hellman ephemeral (DHE) key exchange is supported by the server; uri="gw.t.local", error="no response received from target"

    question 
    opened by KyferEz 4
  • Does not work

    Does not work

    Either way I run Install it via pip or use it via Docker I get the following error

    ┌──(kali㉿kali)-[~]
└─$ docker run --tty --rm balasys/dheater --protocol tls domainwhichiownandreachable.com                                                    1 ⨯
Traceback (most recent call last):
  File "/usr/local/bin/dheat", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 331, in main
    enforcer = DHEnforcerThreadTLS(args.uri, args.timeout, pre_check_result)
  File "<attrs generated init dheater.__main__.DHEnforcerThreadBase>", line 15, in __init__
  File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 100, in __attrs_post_init__
    self._pre_check()
  File "/usr/local/lib/python3.9/site-packages/dheater/__main__.py", line 264, in _pre_check
    server_messages = self._get_client().do_tls_handshake(
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/tls/client.py", line 429, in do_tls_handshake
    return self._do_handshake(
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/tls/client.py", line 409, in _do_handshake
    l7_client.do_handshake(self, hello_message, record_version, last_handshake_message_type)
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/tls/client.py", line 1181, in do_handshake
    self._process_non_handshake_message(record.content_type, message)
  File "/usr/local/lib/python3.9/site-packages/cryptolyzer/tls/client.py", line 1135, in _process_non_handshake_message
    raise TlsAlert(message.description)
cryptolyzer.tls.exception.TlsAlert: TlsAlert(description=<TlsAlertDescription.HANDSHAKE_FAILURE: 40>)
    question 
    opened by rtcms 4
  • gnuTLS support?

    gnuTLS support?

    It seems like it does not work against gnuTLS implementations, but the general problem described in the CVE sounds like it should. Any chance to get it modified for gnuTLS as well...

    bug 
    opened by Lockhead 3
  • Anti-DDoS Mechanism in openssh-8.5p1

    Anti-DDoS Mechanism in openssh-8.5p1

    Once, I also submitted a ddos question to the openssh community: https://bugzilla.mindrot.org/show_bug.cgi?id=3211

    They added the configuration items PerSourceMaxStartups and PerSourceNetBlockSize to openssh-8.5p1. I think that the two parameters can be properly configured to prevent "dheat" from attacking OpenSSH.

    documentation 
    opened by kircherlike 1
  • DHEater crashes on hardened SSH server

    DHEater crashes on hardened SSH server

    I just tested this against one of my machines. After bringing my cpu load up to ~70% I tried if I could mitigate this in my sshd by enabling the "modern" hardened configuration as recommended by Mozilla: https://infosec.mozilla.org/guidelines/openssh

    Effectively I disabled non-ed25519 hostkeys and enabled the following settings:

    KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

MACs [email protected],[email protected],umac-128-e[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

    Once I reloaded my sshd dheater crashes with the following error:

    Traceback (most recent call last):
  File "/opt/homebrew/Cellar/[email protected]/3.9.7/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/opt/homebrew/Cellar/[email protected]/3.9.7/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/Users/rsc/dev/dheater/dheater/__main__.py", line 346, in <module>
    main()
  File "/Users/rsc/dev/dheater/dheater/__main__.py", line 259, in main
    enforcer = DHEnforcerThreadSSH(args.uri, args.timeout, pre_check_result)
  File "<attrs generated init __main__.DHEnforcerThreadBase>", line 15, in __init__
  File "/Users/rsc/dev/dheater/dheater/__main__.py", line 93, in __attrs_post_init__
    self.message_bytes = self._prepare_packets()
  File "/Users/rsc/dev/dheater/dheater/__main__.py", line 153, in _prepare_packets
    key_exchange_algorithm_with_greatest_key_size = self._get_algorithm_with_greatest_key_size()
  File "/Users/rsc/dev/dheater/dheater/__main__.py", line 131, in _get_algorithm_with_greatest_key_size
    if self.pre_check_result.key_exchange.kex_algorithms:
AttributeError: 'NoneType' object has no attribute 'kex_algorithms'

    command used: python -m dheater --protocol ssh myhost

    I haven't bothered looking into this further, but if this disables the required DHE (looks like there's already a check for TLS) this should also be listed as possible mitigation and a message should be shown instead of the exception.

    opened by Nothing4You 1
  • Minimum versions defined for dependencies do not work

    Minimum versions defined for dependencies do not work

    On latest master 09f8cc9597fa0df2c652a760fc4fa4d98d5b6549 I'm getting the following exception:

    pdm run python -m dheater --protocol ssh myhost

    Traceback (most recent call last):
  File "/home/username/.asdf/installs/python/3.10.1/lib/python3.10/runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/home/username/.asdf/installs/python/3.10.1/lib/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File ".../dheater/dheater/__main__.py", line 22, in <module>
    from cryptoparser.tls.ciphersuite import TlsCipherSuite
  File ".../dheater/__pypackages__/3.10/lib/cryptoparser/tls/ciphersuite.py", line 12, in <module>
    from cryptoparser.tls.version import (
  File ".../dheater/__pypackages__/3.10/lib/cryptoparser/tls/version.py", line 24, in <module>
    @attr.s(order=False, eq=False, hash=True)
TypeError: attrs() got an unexpected keyword argument 'order'

    this is on Python 3.10.1 on macOS ARM with the following package versions:

    asn1crypto==1.4.0
attrs==19.1.0
certifi==2021.10.8
certvalidator==0.11.1
charset-normalizer==2.0.11
cryptolyzer==0.7.2
cryptoparser==0.7.1
idna==3.3
oscrypto==1.2.1
python-dateutil==2.8.2
requests==2.27.1
six==1.16.0
urllib3==1.26.8
    bug 
    opened by Nothing4You 0
  • software_version must be cryptoparser.ssh.version.SshSoftwareVersionBase

    software_version must be cryptoparser.ssh.version.SshSoftwareVersionBase

    On latest master 09f8cc9597fa0df2c652a760fc4fa4d98d5b6549 I'm getting the following exception:

    pdm run python -m dheater --protocol ssh myhost

    Traceback (most recent call last):
  File "/home/username/.asdf/installs/python/3.10.1/lib/python3.10/runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/home/username/.asdf/installs/python/3.10.1/lib/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File ".../dheater/dheater/__main__.py", line 565, in <module>
    main()
  File ".../dheater/dheater/__main__.py", line 507, in main
    enforcer = DHEnforcerThreadSSH(args.uri, args.timeout, pre_check_result)
  File "<attrs generated init __main__.DHEnforcerThreadBase>", line 14, in __init__
  File ".../dheater/dheater/__main__.py", line 130, in __attrs_post_init__
    self.message_bytes = self._prepare_packets()
  File ".../dheater/dheater/__main__.py", line 232, in _prepare_packets
    protocol_message = SshProtocolMessage(
  File "<attrs generated init cryptoparser.ssh.subprotocol.SshProtocolMessage>", line 7, in __init__
  File ".../dheater/__pypackages__/3.10/lib/attr/validators.py", line 103, in __call__
    raise TypeError(
TypeError: ("'software_version' must be <class 'cryptoparser.ssh.version.SshSoftwareVersionBase'> (got 'DHEater_0.3.1' that is a <class 'str'>).", Attribute(name='software_version', default=NOTHING, validator=<instance_of validator for type <class 'cryptoparser.ssh.version.SshSoftwareVersionBase'>>, repr=True, eq=True, eq_key=None, order=True, order_key=None, hash=None, init=True, metadata=mappingproxy({}), type=None, converter=None, kw_only=False, inherited=False, on_setattr=None), <class 'cryptoparser.ssh.version.SshSoftwareVersionBase'>, 'DHEater_0.3.1')

    this is on Python 3.10.1 on macOS ARM with the following package versions:

    asn1crypto==1.4.0
attrs==21.4.0
certifi==2021.10.8
certvalidator==0.11.1
charset-normalizer==2.0.11
cryptolyzer==0.8.0
cryptoparser==0.8.0
idna==3.3
oscrypto==1.2.1
python-dateutil==2.8.2
requests==2.27.1
six==1.16.0
urllib3==1.26.8
    bug 
    opened by Nothing4You 0
  • Using IPv6

    Using IPv6

    Hi,

    I am trying to use dheater with an IPv6 address but I always get an error like below:

    python3 -m dheater --protocol tls "[3011::4]:5060"
Network error oocuerd while checking whether Diffie-Hellman ephemeral (DHE) key exchange is supported by the server; uri="[3011::4]:5060", error="address of the target cannot be resolved"

    How should I use or is it some kind of bug?

    opened by VidarHUN 0
Releases(v0.3.2)
Owner
Balasys
Balasys
GitHub Repository
A Python implementation of a discord bot that acts as a server scanner similar to Copenheimer.

Bad Copenheimer A Python impelentation of a discord bot that acts as a server scanner. This is a discord bot that will scan ip adresses to see if they

pilot1782 69 Dec 16, 2022
Weather telegram bot with aiogram, on Russian language

weather_bot Weather telegram bot with aiogram, on Russian language #RU Бот по определению погоды в Telegram, написана на библиотеке aiogram, весь инте

LinkxWan 0 Jan 06, 2022
A Discord bot that generates inspirational quotes & motivating messages whenever a user is sad

Encourage bot is a discord bot that allows users to randomly get Inspirational quotes messages and gives motivational encouragements whenever someone says that he's sad/depressed.

1 Nov 25, 2021
Powerful Ethereum Smart-Contract Toolkit

Heimdall Heimdall is an advanced and modular smart-contract toolkit which aims to make dealing with smart contracts on EVM based chains easier. Instal

Jonathan Becker 69 Dec 26, 2022
A script to forward mass number of media to another group/channel. Heroku deploy

Telegram Forward Script 😇 This is a Script to Forward Large Number of Files to Another Telegram Channel. Star එකක් දාල fork එකක් ගහපියව් 🥴 If You Tr

Anjana Madu 17 Oct 21, 2022
Cryptocurrency Trading Bot - A trading bot to automate cryptocurrency trading strategies using Python, equipped with a basic GUI

Cryptocurrency Trading Bot - A trading bot to automate cryptocurrency trading strategies using Python, equipped with a basic GUI. Used REST and WebSocket API to connect to two of the most popular cry

Francis 8 Sep 15, 2022
Bot interpretation of the carbon.now.sh site

📒 Source code of the @PicodeBot 🧸 Developer: @hoosnick Run $ git clone https://github.com/hoosnick/picodebot.git $ pip install -r requirements.txt P

Husniddin Murodov 13 Oct 02, 2022
Nft-maker - Create your own NFT!

nft-maker How to If you're going to use this program, change the pictures in the "images" folder. All images must be of the same resolution and size.

Georgii Arakelian 4 Mar 13, 2022
A simple telegram bot to help you to remove forward tag from post from any messages . Maded in python3 using @Pyrogram . Developed by @Kunal-Diwan

Frwd-Tag-Remover Telegram Bot to Remove forward tag from any Post . If you need any more modes in repo or If you find out any bugs, mention in @Develo

Kunal Diwan 2 Oct 14, 2022
E0 AI Bot is based on the message, it prints the answer with the highest probability using probability from the database.

E0 AI Chat Bot Based on the message, it prints the answer with the highest probability using probability from the database. Install on linux (Arch,Deb

Error 27 Dec 03, 2022
A stock information collector and parser for Taiwan and US market. Automatically send LINE message if the pre-defined rules are triggered.

agastock 開發動機 就在海運飆漲的2021年7月,差點跪在地上喜迎財富自由的當下,EPS超高好消息不斷的長榮竟然套在202元一去不回,有圖有真相(哭) 忽然體會到追高殺低不是辦法,魯蛇我得靠邏輯分析也能出頭天,經過三個月無數個不出門的周末,產出簡單的爬蟲和分析工具。 上過金融研訓院的量化交易

Gavin Lee 12 Nov 16, 2022
The most annoying bot on Discord

FBot The most annoying bot on discord Features Lots of fun stuff Message responses, sort of our main feature, no big deal. FBot can respond to a wide

Jude 33 Jun 25, 2022
An open source development framework to help you build data workflows and modern data architecture on AWS.

AWS DataOps Development Kit (DDK) The AWS DataOps Development Kit is an open source development framework for customers that build data workflows and

Amazon Web Services - Labs 111 Dec 23, 2022
Poll-Bot Repo For Telegram #telegram

Intro This Is A Simple Bot To Create Poll In Channel and Groups And Also This Is our First Project Too.. Enter you tokens at these are very important

BotsUniverse 6 Oct 21, 2022
Cool Discord bot for you

BountyBot Баунти – современный бот созданный с целью сделать ваш сервер лучше! В кратце В нем присутствует множество основных и интересных функций, та

Leestarb Original 1 Nov 22, 2021
Ini Hanya Shortcut Untuk Menambahkan Kunci Tambahan Pada Termux & Membantu Para Nub Yang Decode Script Orang:v

Ini Hanya Shortcut Untuk Menambahkan Kunci Tambahan Pada Termux & Membantu Para Nub Yang Decode Script Orang:v

Lord_Ammar 1 Jan 23, 2022
Una herramienta para transmitir mensajes automáticamente a múltiples grupos de chat

chat-broadcast Una herramienta para transmitir mensajes automáticamente a múltiples grupos de chat Setup Librerías Necesitas Python 3 con la librería

Seguimos 2 Jan 09, 2022
Docker image for epicseven gvg qq chatbot based on Xunbot

XUN_Langskip XUN 是一个基于 NoneBot 和 酷Q 的功能型QQ机器人,目前提供了音乐点播、音乐推荐、天气查询、RSSHub订阅、使用帮助、识图、识番、搜番、上车、磁力搜索、地震速报、计算、日语词典、翻译、自我检查,权限等级功能,由于是为了完成自己在群里的承诺,一时兴起才做的,所

Xavier Xiong 2 Jun 08, 2022
A Telegram Repo For Devs To Controll The Bots Under Maintenance.This Bot Is For Developers, If Your Bot Is Down, Use This Repo To Give Your Dear Subscribers Some Support By Providing Them Response.

Maintenance Bot A Telegram Repo For Devs To Controll The Bots Under Maintenance About This Bot This Bot Is For Developers, If Your Bot Is Down, Use Th

Vɪᴠᴇᴋ 47 Dec 29, 2022
Cancel all your follow requests on Instagram.

Unrequester This python code unrequests all your follow requests on Instagram, using selenium. Everything's step-by-step and understanding it is like

ChamRun 3 Apr 09, 2022