HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload
A security vulnerability dubbed HollowByte has been discovered in OpenSSL, enabling a DDoS attack that amplifies traffic by exploiting server memory. Attackers can send a minimal 11-byte payload that triggers disproportionate memory allocation on the target server, effectively bloating its memory usage. This amplification factor allows a small attack to overwhelm server resources, leading to a denial-of-service condition. The flaw specifically targets OpenSSL implementations, and the attack leverages the protocol's handling of certain handshake messages. While the exact OpenSSL versions affected are not specified in the source, the vulnerability poses a significant threat to servers relying on this widely-used cryptographic library. The discovery highlights ongoing challenges in securing network infrastructure against amplification attacks.
Developers using OpenSSL should be aware of a new DDoS amplification vector that can exhaust server memory with minimal attacker effort.