Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DDos within a pentest

from [Christoph Puppe] Network Security [Permanent Link]
Subject: Re: DDos within a pentest
Date: Tue, 17 May 2005 22:05:40 +0200 
Chris Fahey schrieb:

Generally speaking I do not run DDoS during a pen test. We all know that
they can screw up a customers network. Anyone could do this if they were
so inclined. If you feel that the customer is vulnerable to a DDoS
attack and they can do something to mitigate said vulnerability write it
in your report. Or, if they want you to verify that they are truly
vulnerable do so in a test scenario. Taking the time to log all of your
actions. Performing a DDoS on a live system/network just isn't good
practice.


Sometimes it can be. Had a customer where the server was limited to a very
low amount of connections. I used them up with netcat connects and showed
them that this setting with no timeout whatsoever is dangerous, because a
DoS can be done with very few means.

But then this was a very special condition that we proved to be a problem
and the customer was sitting beside me. Other general DoS or DDoS attacks
have been proven before and do not need to be proven again.

-- 
Mit freundlichen Grüßen

Christoph Puppe
Security Consultant


We secure your business.(TM)
_______________________________________________________

HiSolutions AG     Phone:    +49 30 533289-0
Bouchéstrasse 12   Fax:      +49 30 533289-99
D-12435 Berlin     Internet: http://www.hisolutions.com
_______________________________________________________
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  penetrating web-based authentication if you know one of the usernames, Ølstad, Roger
Next by Date:  Re: Port 9090 WServer??, Anders Thulin
Previous by Thread:  Re: DDos within a pentest, Christoph Puppe
Next by Thread:  [SEC-1 LTD] RSA SecurID Web Agent Heap Overflow, Gary O'leary-Steele
Indexes:  [Date] [Thread] [Top] [All Lists]