Re: DDos within a pentest

From: Christoph Puppe (puppe@hisolutions.com)
Date: Tue May 17 2005 - 09:45:27 EDT

• Next message: Atte Peltomaki: "Re: Cisco VPN Concentrator GUI"
• Previous message: Christoph Puppe: "Re: Netcat through Squid HTTP Proxy"
• Maybe in reply to: Julian Totzek: "DDos within a pentest"
• Next in thread: Christoph Puppe: "Re: DDos within a pentest"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Julian Totzek schrieb:

> Hi group,
>
> within a pentest we trying to offer the possibility of a DDos Foold for
> our customers. I know there are many tools to do a flood from a single
> PC, but all of these tools just send as many syn's as the can. Does
> anybody know a tool where I'm able to limit the bandwidth? I don’t want
> to get a bandwidth overload, I just want to show that the server is not
> able to handle all the syn packets.

Try hping with the -i switch you can set the rate of the generated packets.
You have to prevent your host from answering RST on the returned SYN-ACK.
See "man iptables" for that ;)

> An other question is from where would I start such a attack? We only
> have a 2Mbit line here in the office, so if I need to flood a 10Mbit
> line there will not be enough packets to do this, right? Maybe there is
> a provider out there who already offers this service!

For SYN-Floods you don't need to saturate the line. Most OS kann keep about
100-300 Half-Open Connections and have them stay for 10-120 seconds. So you
only need a few unanswered SYNs to tie up the half-open stack.

> The third question is what will be the side effects if I send packets
> with spoofed sources? As you all know I don't a answer to my packets,
> but would it be a DDos to all spoofed sources then? How can you ensure
> that only the main target is getting flooded?

Don't use other, unrelated persons and providers IP-Numbers. That is rude
and script-kiddy style. If you can't controll the sending host, have your
firewall discard all traffik to a certain IP and use this address.

As you are from Germany, see my article in ix on the topic:
http://www.heise.de/ix/artikel/2005/04/107/

-- 
Mit freundlichen Grüßen
Christoph Puppe
Security Consultant
We secure your business.(TM)
_______________________________________________________
HiSolutions AG     Phone:    +49 30 533289-0
Bouchéstrasse 12   Fax:      +49 30 533289-99
D-12435 Berlin     Internet: http://www.hisolutions.com
_______________________________________________________

• Next message: Atte Peltomaki: "Re: Cisco VPN Concentrator GUI"
• Previous message: Christoph Puppe: "Re: Netcat through Squid HTTP Proxy"
• Maybe in reply to: Julian Totzek: "DDos within a pentest"
• Next in thread: Christoph Puppe: "Re: DDos within a pentest"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:21 EDT