Re: DDos within a pentest

[Christoph Puppe <puppe () hisolutions com>]

Chris Fahey schrieb:
> Generally speaking I do not run DDoS during a pen test. We all know that
> they can screw up a customers network. Anyone could do this if they were
> so inclined. If you feel that the customer is vulnerable to a DDoS
> attack and they can do something to mitigate said vulnerability write it
> in your report. Or, if they want you to verify that they are truly
> vulnerable do so in a test scenario. Taking the time to log all of your
> actions. Performing a DDoS on a live system/network just isn't good
> practice.

Sometimes it can be. Had a customer where the server was limited to a very
low amount of connections. I used them up with netcat connects and showed
them that this setting with no timeout whatsoever is dangerous, because a
DoS can be done with very few means.

But then this was a very special condition that we proved to be a problem
and the customer was sitting beside me. Other general DoS or DDoS attacks
have been proven before and do not need to be proven again.

-- 
Mit freundlichen Grüßen

Christoph Puppe
Security Consultant


We secure your business.(TM)
_______________________________________________________

HiSolutions AG     Phone:    +49 30 533289-0
Bouchéstrasse 12   Fax:      +49 30 533289-99
D-12435 Berlin     Internet: http://www.hisolutions.com
_______________________________________________________