Denial of Service on SSL services

Yes, a CPU-based DoS on SSL servers is easy. Consider the two main types of cipher suites, as commonly used in SSL:

• RSA key exchange: server sends its certificate with a RSA public key; client generates a random blob (the pre-master secret key) encrypted with the server's public key; the server decrypts it.

• DHE key exchange: server sends its half of a Diffie-Hellman key exchange, signed with the server's private key. Client sends its own half of DH. Server completes DH key exchange by applying its DH private key (a modular exponentiation).

Either way, the server must perform a relatively heavy cryptographic operation: an RSA decryption, or a DH modular exponentiation (for DHE, the server can reuse its ephemeral DH parameters, as long as it does not reboot, but it cannot evade the final modular exponentiation computed over what the client sends). On the other hand, a client who tries to DoS the server does not need to do any work at all: it just needs to send a blob of approximately the right size. Decryption on the server will fail, but the CPU expense will be lost nonetheless.

(Already with honest clients and RSA key exchange, the CPU cost is higher in the server, because RSA encryption is much faster than RSA decryption. But an evil client, intent on DoSing, can totally avoid work.)

Such attacks have been observed in the wild and it does not take an academic paper to explain how they work.