Penetration Testing mailing list archives
Re: [PEN-TEST] Load Balancing Servers
From: ollie-infosec () HUSHMAIL COM
Date: Wed, 27 Sep 2000 16:19:00 +0000
Hi,
That's not entirely true... the problem is more that you cannot select
which
server you attack.
This may be correct but typically I have found in the past (with exception of one client) that HTTP application based attacks will hit the same server due to the client using either source IP stickiness or Cookie stickiness (Intel/Cisco) due to the way their application functions. Also alot of clients are kind to you by putting in their httpd.conf the name of the machine i.e. web01 .... etc so also u need to do is get the site to generate a 401 and apache (granted by default) will give u the name they have configured it with so u can test if you are hitting the same servers.
Assuming that load balancing servers are all mirrors of each other, it shouldn't really matter what you test. Find a vulnerability/weakness on one server, and you can more or less assume
you
got the same problem on the mirrors too.
Yeah but there is also the fly-by-night company that could of set the equipment up and considered setting up the machines different created security though obscurity (;o)). Also on a more serious note depends if your working with distributed load balancers that spread across different geo-graphic regions and are administered by different teams. Assume nothing in my opinion. Rgds Ollie
Current thread:
- [PEN-TEST] Load Balancing Servers Ian Edwards (Sep 25)
- Re: [PEN-TEST] Load Balancing Servers Blaise (Sep 25)
- [PEN-TEST] SAS70; the process and merit thereof? Craig Anderson (Sep 27)
- Re: [PEN-TEST] SAS70; the process and merit thereof? Tom Litney (Sep 27)
- Re: [PEN-TEST] SAS70; the process and merit thereof? Joe Calloway (Sep 27)
- [PEN-TEST] SAS70; the process and merit thereof? Craig Anderson (Sep 27)
- <Possible follow-ups>
- Re: [PEN-TEST] Load Balancing Servers Justin Schaefer (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Jens Knoell (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Justin Schaefer (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Gregor Binder (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Miller Scott Contr 30CS/FTI (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers ollie-infosec (Sep 27)
- Re: [PEN-TEST] Load Balancing Servers Blaise (Sep 25)