Detect Heartbleed Exploits with ExtraHop’s Free Download

April 11, 2014 | By Tyson Supasatit | Add a Comment

If you are responsible for secure web-based services, it is likely that you are scrambling to identify servers using OpenSSL versions 1.0.1 through 1.0.1f, trying to patch those servers, and reissuing certificates.

ExtraHop can detect the heartbeats that are used in the Heartbleed exploit, revealing potential attacks against your SSL servers. This capability is available in the ExtraHop Discovery Edition, a free-forever virtual appliance.

Follow these steps to install the Discovery Edition and detect Heartbleed exploits:

  1. Fill out the form at
  2. Receive your product key and download the .ova file
  3. Install the virtual appliance on a machine with a bare-metal hypervisor or in AWS
  4. Direct traffic to the appliance using our software tap or a port mirror
  5. Install the Heartbleed solution module (a one-minute process)

Note: If you already have a full version of ExtraHop deployed, you do not need to download anything extra to do the analysis described below, although we have bundles in the forum that provide custom pages and geomaps specifically for Heartbleed activity.

The free ExtraHop Discovery Edition shows potential Heartbleed exploits.

The free ExtraHop Discovery Edition shows potential Heartbleed exploits.

How ExtraHop Detects Potential Heartbleed Attacks

ExtraHop performs detailed SSL transaction analysis: certificates used, session details, cipher suites, connections over time, record sizes, and other metrics for every SSL transaction. We also break down SSL records by content type, including application data, change cipher, handshakes, and alerts. There was one other content type that we did not list out by name in the user interface because it was an extension and not part of TLS core … You guessed it, the last content type we record is heartbeat, which is the message used in the Heartbleed exploit. In the ExtraHop user interface, heartbeat messages currently appear as “Other.”

content types

ExtraHop breaks out SSL transactions by content type. View the TLS content type registry, including the now-infamous heartbeat.

The heartbeat content type was previously obscure and rarely used, which means that any SSL traffic using heartbeats is worth investigating. Investigating heartbeats is a simple drill-down in ExtraHop. First, you navigate to the SSL Server activity group.


From the SSL Server activity group, we can see records by content type. Clicking on “Other” will show server devices that have received heartbeat records.


From there, you can drill-down investigate each SSL server to see which clients are sending heartbeat messages. If you don’t recognize a device and it is sending many heartbeats, then that is a potential active exploit. (Note: Device-level L4-L7 views are not available in the Discovery Edition, which is a great reason to upgrade to the full version at this point!)

SSL clients heartbeat

But there is more that ExtraHop reveals about potential Heartbleed attacks. With the ExtraHop geomap capability (available in the Discovery Edition) you can see the geographic origin of requests for a particular protocol with geomaps. The screenshot below comes from a retailer using ExtraHop to do just that. They quickly saw that heartbeat messages were originating from St. Petersburg, Kiev, Chengdu, Wuhan, and other places that are highly suspicious.

Don’t delay. Request your own ExtraHop Discovery Edition now and discover the power of wire data analytics!

ExtraHop geomaps reveal the geographic origin of requests. This geomap is from an IT organization that uses ExtraHop and shows six heartbeat messages originated in Kiev, Ukraine.

Related blog posts:
DevOps Hearts Race While CISO Looks for Heartbleed
How ExtraHop’s IT Team Performed a Heartbleed Audit Going Back Years
Detecting Malware Such as BlackPOS with ExtraHop


Filed in: ExtraHop Analysis, ExtraHop Blog, ExtraHop News, Good Reads, Industry Trends, Performance Metric of the Month | Tags: , , , ,

About the Author (Author Profile)

Tyson helps to educate the IT Operations Management community about what is possible with real-time analysis of wire data. Prior to ExtraHop, Tyson worked as a technical marketing writer for Microsoft, Seagate, and the Association of Computing Machinery, where he wrote for and edited the TechNews e-mail newsletter from 2000 to 2005. You can find him on Twitter under @tsupasat.

Leave a Reply

Trackback URL | RSS Feed for This Entry