Attacker repeatedly triggers TLS handshakes to force renegotiation, exhaust server resources, or downgrade cipher strength
The Heartbleed Vulnerability CVE-2014-0160
Hunting
Statistics → Conversations → TCP Statistics → Protocol Hierarchy Statistics → Flow Graph Statistics → I/O Graph
Red Flags
- Multiple
Client Hellomessages from same client in short timeframe Client Helloappearing after handshake completion- Repeated full TLS handshakes on same TCP session
- High volume of handshake messages (Content Type 22)
- Sudden downgrade in TLS version or cipher suite
- Excessive CPU usage on server (correlate outside PCAP)
Filters
# Show only TLS handshake records (Content Type 22)
tls.record.content_type == 22
# Detect Client Hello messages (Type 1)
tls.handshake.type == 1
# Detect Server Hello messages (Type 2)
tls.handshake.type == 2
# Isolate handshake activity from specific client
tls.handshake.type == 1 and ip.src == 192.168.10.56
# Detect repeated Client Hellos from same client
tls.handshake.type == 1 and ip.src == 192.168.10.56
# Detect potential TLS downgrade attempts (older than TLS 1.2)
tls.handshake.version < 0x0303
# Combine: Handshake traffic from suspect client only
tls.record.content_type == 22 and ip.src == 192.168.10.56