In this section we will be talking about SSL floats and how to mitigate them. Basically, how an SSL float works is an attacker establishes the TLS station, which is the SSL session basically done right after the establishment, he terminates it and repeats the process all over again. And this process exhausts to server because establishment of such TLS Connections is quite costly for the server. against those attacks in most cases, firewalls cannot help because the three way handshake is already established. In other words, this is dumb. The shipment of TLS session happens after the three way handshake on TCP IP model application layer.

Therefore, in most cases for such attacks, firewalls cannot help. How we can detect this basically, you can filter on TCP port 443, which is port for HTTPS, and you can count the number of sessions afterwards. And if you want to find out more information per session, you can just right click on one of the findings and follow the TCP stream. And of course, how to mitigate that. by tracking the number of SSL sessions and setting thresholds permanent, you can do it per source or per the combination of source and destination depending on your infrastructure. The most important thing is to track the number of SSL sessions and set appropriate thresholds.

And when the number exceeds them, you just need to block the source from establishing new connections. Another important thing for mitigation is, if possible, terminating SSL at your load balancer. Or if you are using a CDN at its load balancer, that your servers it will help you a lot during a DDoS attack. This will give you more flexibility while mitigating the DDoS attack. As it will prevent your server from being affected. So instead of terminating the SSL at your server, if you have a load balancer deployed, try to use your load balancer for the same purpose.