Apache Security - Ivan Ristic [60]
Certain technological advances work to our advantage. The HTTP 1.1 Keep-Alive feature allows a client to keep a connection with the server open and reuse it across several requests. If this feature is enabled on the server, it will help reduce the impact of SSL since only one signing operation is required per connection.
But the most important performance enhancement feature is the one built into SSLv3: session caching. When an SSLv3 connection is intially established, a session is created and given a unique session ID. The client can disconnect from the server, but when it comes to the server the next time, the client can use the session ID to reestablish the session without having to perform the expensive cryptographic operation.
The ability to resume sessions has enormous impact on the performance of a web server. Using the openssl tool, you can check that your web server performs as expected:
$ openssl s_client -connect www.thawte.com:443 -state -reconnect
It will connect to the server five times, reusing the session ID created the first time. A line in the output such as this one will confirm the session ID was reused:
Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
More information about the performance impact of SSL and various approaches to increasing processing speeds can be found in the following resources:
"Transport Layer Security: How Much Does It Really Cost?" by George Apostolopoulos et al. at http://www.ieee-infocom.org/1999/papers/05d_04.pdf
"Performance Impact of Using SSL on Dynamic Web Applications" by Vicenç Beltran et al. at http://people.ac.upc.es/jguitart/HomepageFiles/Jornadas04.pdf
"High Availability for SSL and Apache" by Mark J. Cox and Geoff Thorpe at http://www.awe.com/mark/ora2000/
Hardware Acceleration
Cryptographic accelerators are devices designed to perform cryptographic operations quickly with the purpose of allowing the processor to do something more useful. In the past, these devices were the only feasible approach to support wide-scale SSL deployment. Increased processing power of modern processors and their low cost have made cryptographic accelerators lose some of their appeal.
An interesting thing about cryptographic accelerators is that they generate server private keys and store them; since all operations are done in hardware, they never leave the device. Nor can they leave the device, resulting in enhanced private-key security.
Chapter 5. Denial of Service Attacks
A denial of service (DoS) attack is an attempt to prevent legitimate users from using a service. This is usually done by consuming all of a resource used to provide the service. The resource targeted is typically one of the following:
CPU
Operating memory (RAM)
Bandwidth
Disk space
Sometimes, a less obvious resource is targeted. Many applications have fixed length internal structures and if an attacker can find a way to populate all of them quickly, the application can become unresponsive. A good example is the maximum number of Apache processes that can exist at any one time. Once the maximum is reached, new clients will be queued and not served.
DoS attacks are not unique to the digital world. They existed many years before anything digital was created. For example, someone sticking a piece of chewing gum into the coin slot of a vending machine prevents thirsty people from using the machine to fetch a refreshing drink.
In the digital world, DoS attacks can be acts of vandalism, too. They are performed for fun, pleasure, or even financial gain. In general, DoS attacks are a tough problem to solve because the Internet was designed on a principle that everyone plays by the rules.
You can become a victim of a DoS attack for various reasons:
Bad luck
In the worst case, you may be at the wrong place at the wrong time. Someone may think your web site is a good choice for an attack, or it may simply be the first web site that comes