Penetration Testing mailing list archives
Re: Controlled DoS
From: Christine Kronberg <seeker () shalla de>
Date: Sat, 20 Mar 2010 12:00:43 +0100 (CET)
Hi,
Is it possible to do a Denial of Service attack in a controlled way, e.g. in a penetration testing scenario? How can you control/limit the possible degradation of the client's services? Can you ask the client to corporate in terms of IDS/IPS alerts, or any sign of service degradation? How can you measure the success of the test if you are actually not allowed to break anything? What is the approach to a 99.99% availability requirement network?
Yes, it is possible to do controlled DoS attacks. But you definitely need the support of the customer to watch the network, host and services (bandwidth fill rate, cpu usage, disk page, availability of services etc.). A successful DoS attack can happen in many ways. You first have to identify your attack vectors: which components are you going to attack? And how are you going to attack? Each component has its own weaknesses and you have to determine the approriate means to explore them and their effect of the means. For example: One component is, of course, the network. The way to perform a DoS here is to fill it up. A way to measure it, is to look at the response times or statistics on routers (that's one place where the customer comes in). In order attack in a controlled way you will have to increase the load step by step and check the measure points. Is a kind of plateau reached or does any increase in attack load directly correspond to an increase in filled bandwidth? Another component is the host in question. The questions here are: Can you provoke a memory exhaustion? Can you reach some kind of connection limit after that the host is unreachable? Is there any way to fill up the disks and make the hosts behaving in a unpredic- table way? How does the final service deal with malformed packages? And so on. You have to identify all attack vectors, analyze their impact for the given attacks and define the measure points. During this analysis you may find several attacks not being feasable with your means, yet feasable for attackers controlling large sets of hosts. Make sure that your customers understands the limitations of the tests. Hope this helps, Christine Kronberg. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Controlled DoS Tibor Kaskoto (Mar 11)
- Re: Controlled DoS Adam Mooz (Mar 15)
- Re: Controlled DoS Dharm Dhwaj Singh (Mar 18)
- Re: Controlled DoS Christine Kronberg (Mar 23)
- Re: Controlled DoS Adam Mooz (Mar 15)