Chris Fahey schrieb:
> Generally speaking I do not run DDoS during a pen test. We all know that
> they can screw up a customers network. Anyone could do this if they were
> so inclined. If you feel that the customer is vulnerable to a DDoS
> attack and they can do something to mitigate said vulnerability write it
> in your report. Or, if they want you to verify that they are truly
> vulnerable do so in a test scenario. Taking the time to log all of your
> actions. Performing a DDoS on a live system/network just isn't good
> practice.
Sometimes it can be. Had a customer where the server was limited to a very
low amount of connections. I used them up with netcat connects and showed
them that this setting with no timeout whatsoever is dangerous, because a
DoS can be done with very few means.
But then this was a very special condition that we proved to be a problem
and the customer was sitting beside me. Other general DoS or DDoS attacks
have been proven before and do not need to be proven again.
--
Mit freundlichen Grüßen
Christoph Puppe
Security Consultant
We secure your business.(TM)
_______________________________________________________
HiSolutions AG Phone: +49 30 533289-0
Bouchéstrasse 12 Fax: +49 30 533289-99
D-12435 Berlin Internet: http://www.hisolutions.com
_______________________________________________________
Received on May 18 2005
Intro
