Penetration Testing mailing list archives
Re: DDos within a pentest
From: Christoph Puppe <puppe () hisolutions com>
Date: Tue, 17 May 2005 22:05:40 +0200
Chris Fahey schrieb:
Generally speaking I do not run DDoS during a pen test. We all know that they can screw up a customers network. Anyone could do this if they were so inclined. If you feel that the customer is vulnerable to a DDoS attack and they can do something to mitigate said vulnerability write it in your report. Or, if they want you to verify that they are truly vulnerable do so in a test scenario. Taking the time to log all of your actions. Performing a DDoS on a live system/network just isn't good practice.
Sometimes it can be. Had a customer where the server was limited to a very low amount of connections. I used them up with netcat connects and showed them that this setting with no timeout whatsoever is dangerous, because a DoS can be done with very few means. But then this was a very special condition that we proved to be a problem and the customer was sitting beside me. Other general DoS or DDoS attacks have been proven before and do not need to be proven again. -- Mit freundlichen Grüßen Christoph Puppe Security Consultant We secure your business.(TM) _______________________________________________________ HiSolutions AG Phone: +49 30 533289-0 Bouchéstrasse 12 Fax: +49 30 533289-99 D-12435 Berlin Internet: http://www.hisolutions.com _______________________________________________________
Current thread:
- DDos within a pentest Julian Totzek (May 09)
- Re: DDos within a pentest Sels, Roger (May 09)
- Re: DDos within a pentest Thierry Zoller (May 09)
- Re: DDos within a pentest Thierry Zoller (May 11)
- RE: DDos within a pentest Omar Herrera (May 11)
- Re: DDos within a pentest Jose Maria Lopez Hernandez (May 11)
- <Possible follow-ups>
- Re: DDos within a pentest Christoph Puppe (May 17)
- Re: DDos within a pentest Christoph Puppe (May 18)