Hi Julian,
These kinds of tests are delicate. I understand that you would like to show
customers the impact, but there are some problems:
* Unless you control all devices (or at least have written permission to
perform this test on them) between your machines and the ones from you client,
you might be DoSing a third party (e.g. a router of the ISP of your client is
unable to handle the attack and goes down).
* Even if you control bandwidth things fail (i.e. payload could trigger a DoS,
not necessarily a certain amount of packets)
* A third party might just get angry to see this activity on his equipment,
even if you cause not harm, you will still use some bandwidth (with dubious
intent, from their point of view), and they could go after you.
So, the main problem here is: dealing with third parties.
My suggestion therefore is to avoid them. You can do a couple of things:
a) Work with your client to get your machines plugged into their perimeter
routers, which will give you the ability to perform a controlled (D)DoS with
almost no deviation from a real test.
b) Do it in their internal network, in a controlled environment.
One option or the other would be more interesting to each company, depending on
their business process (e.g. e-commerce sites might prefer a), while a
manufacture company might prefer b) ).
For your last question, it all depends how your client configured their
routers/firewalls. If they answer all requests, then you could DoS the
legitimate user of the spoofed address, otherwise no. It also depends on
whether you rotate the source (spoofed) address; in this case only a couple of
packets might be sent to the spoofed addresses, if any.
I hope this helps,
Omar Herrera
-----Original Message-----
From: Julian Totzek [mailto:julian.totzek@bristol.de]
Sent: Friday, May 06, 2005 2:44 AM
To: pen-test@securityfocus.com
Subject: DDos within a pentest
Hi group,
within a pentest we trying to offer the possibility of a DDos Foold for
our customers. I know there are many tools to do a flood from a single PC,
but all of these tools just send as many syn's as the can. Does anybody
know a tool where I'm able to limit the bandwidth? I donât want to get a
bandwidth overload, I just want to show that the server is not able to
handle all the syn packets.
An other question is from where would I start such a attack? We only have
a 2Mbit line here in the office, so if I need to flood a 10Mbit line there
will not be enough packets to do this, right? Maybe there is a provider
out there who already offers this service!
The third question is what will be the side effects if I send packets with
spoofed sources? As you all know I don't a answer to my packets, but would
it be a DDos to all spoofed sources then? How can you ensure that only the
main target is getting flooded?
Best regards
Julian Totzek
THE BRISTOL GROUP Deutschland GmbH
Robert-Bosch-StraÃe 11
63225 Langen
Telefon +49 (0) 6103 20 55 300
Telefax +49 (0) 6103 70 27 87
Emergency Phone 0190/858 979 000 (1,86â/min)
julian.totzek@bristol.de
www.bristol.de
HTTPS, HTTP, SMTP, IMAP, POP3 und FTP
Kostenloser 14-Tage-Test einer CP Secure Antivirus Appliance
http://www.bristol.de/testing.htm
