Penetration Testing mailing list archives
Re: [PEN-TEST] Load Balancing Servers
From: Miller Scott Contr 30CS/FTI <Scott.Miller () VANDENBERG AF MIL>
Date: Wed, 27 Sep 2000 08:50:37 -0700
I'd have to disagree with you there. Just because the servers are in a load balancing configuration and they appear to have the same web content doesn't mean they're identical in their vulnerabilities. If reasonable configuration control measures are taken, they should be, but we all know how often that's not the case. Remember, our jobs would be a lot harder were it not for lazy or overworked sysadmins. Take DNS zone transfers, for example - while the data is the same on each authoritative server, I've found that in some cases one server will be misconfigured to allow unauthorized zone transfers while the others will be properly secured. It pays to check every system you can access. What about identifying the server you're connected to? From working with IIS webservers, I would think it should be possible to get some useful information from the HTTP headers returned. Has anyone tried this in practice? Scott -----Original Message----- From: Jens Knoell [mailto:jens () ING TWINWAVE NET] Sent: Wednesday, September 27, 2000 8:02 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: Load Balancing Servers That's not entirely true... the problem is more that you cannot select which server you attack. Assuming that load balancing servers are all mirrors of each other, it shouldn't really matter what you test. Find a vulnerability/weakness on one server, and you can more or less assume you got the same problem on the mirrors too. Jens
Current thread:
- [PEN-TEST] Load Balancing Servers Ian Edwards (Sep 25)
- Re: [PEN-TEST] Load Balancing Servers Blaise (Sep 25)
- [PEN-TEST] SAS70; the process and merit thereof? Craig Anderson (Sep 27)
- Re: [PEN-TEST] SAS70; the process and merit thereof? Tom Litney (Sep 27)
- Re: [PEN-TEST] SAS70; the process and merit thereof? Joe Calloway (Sep 27)
- [PEN-TEST] SAS70; the process and merit thereof? Craig Anderson (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] Load Balancing Servers Justin Schaefer (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Jens Knoell (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Justin Schaefer (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Gregor Binder (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Miller Scott Contr 30CS/FTI (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers ollie-infosec (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Blaise (Sep 25)