Home page logo

pen-test logo Penetration Testing mailing list archives

Re: DDos within a pentest
From: Christoph Puppe <puppe () hisolutions com>
Date: Tue, 17 May 2005 22:05:40 +0200

Chris Fahey schrieb:
Generally speaking I do not run DDoS during a pen test. We all know that
they can screw up a customers network. Anyone could do this if they were
so inclined. If you feel that the customer is vulnerable to a DDoS
attack and they can do something to mitigate said vulnerability write it
in your report. Or, if they want you to verify that they are truly
vulnerable do so in a test scenario. Taking the time to log all of your
actions. Performing a DDoS on a live system/network just isn't good

Sometimes it can be. Had a customer where the server was limited to a very
low amount of connections. I used them up with netcat connects and showed
them that this setting with no timeout whatsoever is dangerous, because a
DoS can be done with very few means.

But then this was a very special condition that we proved to be a problem
and the customer was sitting beside me. Other general DoS or DDoS attacks
have been proven before and do not need to be proven again.

Mit freundlichen Grüßen

Christoph Puppe
Security Consultant

We secure your business.(TM)

HiSolutions AG     Phone:    +49 30 533289-0
Bouchéstrasse 12   Fax:      +49 30 533289-99
D-12435 Berlin     Internet: http://www.hisolutions.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]