Penetration Testing mailing list archives

Re: Controlled DoS

From: Christine Kronberg <seeker () shalla de>
Date: Sat, 20 Mar 2010 12:00:43 +0100 (CET)

Hi,

Is it possible to do a Denial of Service attack in a controlled way, e.g. in
a penetration testing scenario? How can you control/limit the possible
degradation of the client's services? Can you ask the client to corporate in
terms of IDS/IPS alerts, or any sign of service degradation? How can you
measure the success of the test if you are actually not allowed to break
anything? What is the approach to a 99.99% availability requirement network?


  Yes, it is possible to do controlled DoS attacks. But you definitely
  need the support of the customer to watch the network, host and
  services (bandwidth fill rate, cpu usage, disk page, availability
  of services etc.).
  A successful DoS attack can happen in many ways. You first have to
  identify your attack vectors: which components are you going to attack?
  And how are you going to attack?
  Each component has its own weaknesses and you have to determine the
  approriate means to explore them and their effect of the means. For
  example:
  One component is, of course, the network. The way to perform a DoS
  here is to fill it up. A way to measure it, is to look at the
  response times or statistics on routers (that's one place where the
  customer comes in). In order attack in a controlled way you will
  have to increase the load step by step and check the measure points.
  Is a kind of plateau reached or does any increase in attack load
  directly correspond to an increase in filled bandwidth?
  Another component is the host in question. The questions here are:
  Can you provoke a memory exhaustion? Can you reach some kind of
  connection limit after that the host is unreachable? Is there any
  way to fill up the disks and make the hosts behaving in a unpredic-
  table way? How does the final service deal with malformed packages?
  And so on.

  You have to identify all attack vectors, analyze their impact for
  the given attacks and define the measure points. During this
  analysis you may find several attacks not being feasable with
  your means, yet feasable for attackers controlling large sets
  of hosts.
  Make sure that your customers understands the limitations of
  the tests.

  Hope this helps,

  Christine Kronberg.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Controlled DoS Tibor Kaskoto (Mar 11)
- Re: Controlled DoS Adam Mooz (Mar 15)
  - Re: Controlled DoS Dharm Dhwaj Singh (Mar 18)
- Re: Controlled DoS Christine Kronberg (Mar 23)