RE: DDos within a pentest

[Omar Herrera <oherrera () prodigy net mx>]

Hi Julian,

These kinds of tests are delicate. I understand that you would like to show customers the impact, but there are some 
problems:

* Unless you control all devices (or at least have written permission to perform this test on them) between your 
machines and the ones from you client, you might be DoSing a third party (e.g. a router of the ISP of your client is 
unable to handle the attack and goes down).
* Even if you control bandwidth things fail (i.e. payload could trigger a DoS, not necessarily a certain amount of 
packets)
* A third party might just get angry to see this activity on his equipment, even if you cause not harm, you will still 
use some bandwidth (with dubious intent, from their point of view), and they could go after you.

So, the main problem here is: dealing with third parties.

My suggestion therefore is to avoid them. You can do a couple of things:
a) Work with your client to get your machines plugged into their perimeter routers, which will give you the ability to 
perform a controlled (D)DoS with almost no deviation from a real test. 
b) Do it in their internal network, in a controlled environment.

One option or the other would be more interesting to each company, depending on their business process (e.g. e-commerce 
sites might prefer a), while a manufacture company might prefer b) ).

For your last question, it all depends how your client configured their routers/firewalls. If they answer all requests, 
then you could DoS the legitimate user of the spoofed address, otherwise no. It also depends on whether you rotate the 
source (spoofed) address; in this case only a couple of packets might be sent to the spoofed addresses, if any.

I hope this helps,

Omar Herrera

> -----Original Message-----
> From: Julian Totzek [mailto:julian.totzek () bristol de]
> Sent: Friday, May 06, 2005 2:44 AM
> To: pen-test () securityfocus com
> Subject: DDos within a pentest
>
> Hi group,
>
> within a pentest we trying to offer the possibility of a DDos Foold for
> our customers. I know there are many tools to do a flood from a single PC,
> but all of these tools just send as many syn's as the can. Does anybody
> know a tool where I'm able to limit the bandwidth? I don’t want to get a
> bandwidth overload, I just want to show that the server is not able to
> handle all the syn packets.
>
> An other question is from where would I start such a attack? We only have
> a 2Mbit line here in the office, so if I need to flood a 10Mbit line there
> will not be enough packets to do this, right? Maybe there is a provider
> out there who already offers this service!
>
> The third question is what will be the side effects if I send packets with
> spoofed sources? As you all know I don't a answer to my packets, but would
> it be a DDos to all spoofed sources then? How can you ensure that only the
> main target is getting flooded?
>
>
> Best regards
>
> Julian Totzek
>
> THE BRISTOL GROUP Deutschland GmbH
> Robert-Bosch-Straße 11
> 63225 Langen
> Telefon +49 (0) 6103 20 55 300
> Telefax +49 (0) 6103 70 27 87
> Emergency Phone 0190/858 979 000 (1,86€/min)
> julian.totzek () bristol de
> www.bristol.de
>
>
> HTTPS, HTTP, SMTP, IMAP, POP3 und FTP
> Kostenloser 14-Tage-Test einer CP Secure Antivirus Appliance
> http://www.bristol.de/testing.htm