Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: DDos within a pentest
From: Christoph Puppe <puppe () hisolutions com>
Date: Tue, 17 May 2005 22:05:40 +0200

Chris Fahey schrieb:
Generally speaking I do not run DDoS during a pen test. We all know that
they can screw up a customers network. Anyone could do this if they were
so inclined. If you feel that the customer is vulnerable to a DDoS
attack and they can do something to mitigate said vulnerability write it
in your report. Or, if they want you to verify that they are truly
vulnerable do so in a test scenario. Taking the time to log all of your
actions. Performing a DDoS on a live system/network just isn't good
practice.

Sometimes it can be. Had a customer where the server was limited to a very
low amount of connections. I used them up with netcat connects and showed
them that this setting with no timeout whatsoever is dangerous, because a
DoS can be done with very few means.

But then this was a very special condition that we proved to be a problem
and the customer was sitting beside me. Other general DoS or DDoS attacks
have been proven before and do not need to be proven again.

-- 
Mit freundlichen Grüßen

Christoph Puppe
Security Consultant


We secure your business.(TM)
_______________________________________________________

HiSolutions AG     Phone:    +49 30 533289-0
Bouchéstrasse 12   Fax:      +49 30 533289-99
D-12435 Berlin     Internet: http://www.hisolutions.com
_______________________________________________________


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]