From: Christoph Puppe (puppe@hisolutions.com)
Date: Tue May 17 2005 - 16:05:40 EDT
Chris Fahey schrieb:
> Generally speaking I do not run DDoS during a pen test. We all know that
> they can screw up a customers network. Anyone could do this if they were
> so inclined. If you feel that the customer is vulnerable to a DDoS
> attack and they can do something to mitigate said vulnerability write it
> in your report. Or, if they want you to verify that they are truly
> vulnerable do so in a test scenario. Taking the time to log all of your
> actions. Performing a DDoS on a live system/network just isn't good
> practice.
Sometimes it can be. Had a customer where the server was limited to a very
low amount of connections. I used them up with netcat connects and showed
them that this setting with no timeout whatsoever is dangerous, because a
DoS can be done with very few means.
But then this was a very special condition that we proved to be a problem
and the customer was sitting beside me. Other general DoS or DDoS attacks
have been proven before and do not need to be proven again.
-- Mit freundlichen Grüßen Christoph Puppe Security Consultant We secure your business.(TM) _______________________________________________________ HiSolutions AG Phone: +49 30 533289-0 Bouchéstrasse 12 Fax: +49 30 533289-99 D-12435 Berlin Internet: http://www.hisolutions.com _______________________________________________________
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:21 EDT