Penetration Testing mailing list archives
RE: Limited vs full blown testing
From: "Martin Murray-Brown" <Martin.Murray-Brown () derivco com>
Date: Mon, 28 Jun 2004 09:16:01 +0200
I noticed a couple of people talking about definitions... just so we're all on the same page, perhaps we should agree on the following: 1) A 'DoS' attack is a Denial Of Service attack (and not the operating system ;) ). In other words, it's any attack that results in a denial of service... as Alan said, stealing your keyboard and mouse would be quite an effective DoS attack, especially if you don't have a spare :) 2) 'DDoS' is 'Distributed Denial of Service'... an attack where multiple clients (often viral zombies) spam a particular node in some way, preventing that node from receiving valid requests. Assorted flavours include reflected (where the node is not spammed directly, but rather hit with response packets from spoofed IP's on the original packets... nasty). Therefore, a DDoS is a DoS, but a DoS isn't necessarily a DDoS. Groovy *snaps fingers*. In terms of threat... while possibly I missed the original point of this which restricted us to penetration tests, I still believe that any remotely complete test requires some form of DoS testing. In terms of damage to an online company's cash flow, DoS's can be devastating... I recommend that any proposed test that doesn't include denial of service testing ensures that the client is fully aware of the ramifications. You don't want big clients coming back and blaming you for not telling them about it when some Skiddie with a few hundred zombies is costing them a million a day... (I know I'm harping on about it and repeating what others like Alan have said in different words... but DoS's are becoming more common, and are being used in blackmails (check recent reports in the online betting industry). -----Original Message----- From: Alan Davies
I'm trying to understand the significance of DDOS testing and
importance.
Thing is, if you can spew packets fast enough, or make enough
connections
to consume the resources involved, you can take a site/serice down for
at
least the duration of the attack, even pipes as large as those of akami<sp?> were proven to be susceptable in recent days. It's a given vector of attack that we live with, a risk level we hope to avoid.
But,
not something that gives away the insides of the network to thugs and theives. No root shell and all that, which constitute a real threat,
at
least in my mind. Perhaps I'm missing something that has come up in recent years that redefines DDOS as something that is preventable and a potential for something other then a blip, however long lasting the attack, in service?
Ron - I think the difference here is DoS vs. DDoS. The latter is just throwing packets at a target to fill all available bandwidth and I can't see a lot of point in that during a pen test (in that it's not actually compromising anything). However a DoS can be anything that denies service - if I walk up to your desktop and steal your keyboard and mouse, I've DoS'd you by stopping you working ;) Seriously though - run Nessus with dangerous plugins on and you will likely DoS many parts of the clients network .. and not by overwhelming with packets. You may find that some routers/switches have been killed until a full power cycle is done and that some systems (especially older) have completely and irrecoverably locked up. It could even end up causing data loss. The fact of the matter is, if there are systems that can be knocked down like this by an exploit, then you would really want to know about it and try to prevent it. At the same time, if the client is aware of this and doesn't want to take the risk ... well they are the ones paying you and all you can do is tell them! P.S. One final reminder of how a DoS can be used in a penetration .... think of good old Kevin Mitnick! Without DoS he wouldn't have been able to break in the way he did. Best regards, Alan Davies.
Current thread:
- RE: Limited vs full blown testing, (continued)
- RE: Limited vs full blown testing Markowsky, Tyler (Jun 27)
- RE: Limited vs full blown testing BĂ©noni MARTIN (Jun 24)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 24)
- Re: Limited vs full blown testing El C0chin0 (Jun 24)
- IE caching issue jatkinson (Jun 27)
- Re: IE caching issue Daniel Staal (Jun 28)
- IE caching issue jatkinson (Jun 27)
- RE: Limited vs full blown testing Thompson, Jimi (Jun 27)
- RE: Limited vs full blown testing Wayne Wooley (Jun 27)
- RE: Limited vs full blown testing R. DuFresne (Jun 27)
- RE: Limited vs full blown testing Alan Davies (Jun 27)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 28)