Penetration Testing mailing list archives

RE: Limited vs full blown testing

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Thu, 24 Jun 2004 18:37:15 -0400

He SPECIFICALLY excluded DDOS.  Of course, if you sit in on the network
with a battery of laptops and find a few amplifiers internally, you can
do a DDOS...that's why he excluded it.  In fact, it was the VERY NEXT
sentence after the first sentence you snipped out.  How about some more
basic DOS attempts.  Doing that type of thing internally doesn't seem
very practical to me.

Now, about doing a DOS in a penetration test or vulnerability
assessment...sure, it makes sense.



-----Original Message-----
From: R. DuFresne [mailto:dufresne () sysinfo com] 
Sent: Thursday, June 24, 2004 4:13 PM
To: Peter Wood
Cc: pen-test () securityfocus com
Subject: Re: Limited vs full blown testing



        [SNIP]


We accept a brief excluding DoS attacks, as most clients just won't

support

DoS testing. However we include appripriate caveats in our report and 
continue to suggest they do these tests.


I'm trying to understand the significance of DDOS testing and
importance.
Thing is, if you can spew packets fast enough, or make enough
connections
to consume the resources involved, you can take a site/serice down for
at
least the duration of the attack, even pipes as large as those of
akami<sp?> were proven to be susceptable in recent days.  It's a given
vector of attack that we live with, a risk level we hope to avoid.  But,
not something that gives away the insides of the network to thugs and
theives.  No root shell and all that, which constitute a real threat, at
least in my mind.  Perhaps I'm missing something that has come up in
recent years that redefines DDOS as something that is preventable and a
potential for something other then a blip, however long lasting the
attack, in service?

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

Current thread:

Limited vs full blown testing Toby Barrick (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 24)
- Re: Limited vs full blown testing Richard Rager (Jun 24)
- Re: Limited vs full blown testing Peter Wood (Jun 24)
  - Re: Limited vs full blown testing R. DuFresne (Jun 24)
    - RE: Limited vs full blown testing Jerry Shenk (Jun 27)
    - RE: Limited vs full blown testing R. DuFresne (Jun 27)
- Re: Limited vs full blown testing Martin Mačok (Jun 25)
  - RE: Limited vs full blown testing Markowsky, Tyler (Jun 27)
- <Possible follow-ups>
- RE: Limited vs full blown testing Bénoni MARTIN (Jun 24)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 24)
- Re: Limited vs full blown testing El C0chin0 (Jun 24)
  - IE caching issue jatkinson (Jun 27)
    - Re: IE caching issue Daniel Staal (Jun 28)
- RE: Limited vs full blown testing Thompson, Jimi (Jun 27)
- RE: Limited vs full blown testing Wayne Wooley (Jun 27)

(Thread continues...)