RE: Limited vs full blown testing

• Previous message: R. DuFresne: "RE: Limited vs full blown testing"
• In reply to: Wayne Wooley: "RE: Limited vs full blown testing"
• Next in thread: Alan Davies: "RE: Limited vs full blown testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Jun 2004 22:13:08 -0400 (EDT)
To: Wayne Wooley <wayne.wooley@ps.net>

On Thu, 24 Jun 2004, Wayne Wooley wrote:

> I believe it depends on how far you want to go with your testing. There has
> been some exploits that require a two fold attack. In other words, the DOS
> attack in some systems opens up the possibility to gain root by timing it
> with a different attack.

Yes, I recall the fine work of, wasn't it Liu Die Yu? who put together
wasn't it 4 or was is as many as 5 or 6 minor looking web sploits to come
up with a massive hit in the http arena...yet, required that the victim be
lured into a nasty website if I recall. Whichg at least in this case
mihgt be more accuratly described as social engineering.

>
> But the thing is, a lot of these types of attacks that are currently out are
> not published to the public. So its a good chance you will never see them
> used against your systems. And this all so brings up the point that, no one
> can ever have a completely secure system.

Understood, one of the basic reasons that security is a layered approcah,
we attempt to isolate levels and degrees of risk, and ways to deal with
them. Firewalls fail closed, switches are properly configged, and not the
basis upon which perimiter security is based, and why disaster recovery is
part of the 'security infrastructure', to guard against dataloss, as best
as we can 'guard'.

> As there will always be exploits
> available to select individuals that do not publish their work.
>

One of the base arguements in the full-disclosure debate <smile>...

> In my experience most attacks are from individuals with very little
> knowledge as to what they are doing (kiddie scripts).
>

Which are mostly nits caught in logs or them noisey outward facing IDS's
ment to generate a rational for a security posture <I hate these by the
way>...

Still I'm interested as stated in another reply, how a DOS is defined
specifically different then a DDOS...

Thanks,

Ron DuFresne

>
> -----Original Message-----
> From: R. DuFresne [mailto:dufresne@sysinfo.com]
> Sent: Thursday, June 24, 2004 3:13 PM
> To: Peter Wood
> Cc: pen-test@securityfocus.com
> Subject: Re: Limited vs full blown testing
>
>
>
> [SNIP]
>
> >
> > We accept a brief excluding DoS attacks, as most clients just won't
> support
> > DoS testing. However we include appripriate caveats in our report and
> > continue to suggest they do these tests.
> >
>
> I'm trying to understand the significance of DDOS testing and importance.
> Thing is, if you can spew packets fast enough, or make enough connections
> to consume the resources involved, you can take a site/serice down for at
> least the duration of the attack, even pipes as large as those of
> akami<sp?> were proven to be susceptable in recent days. It's a given
> vector of attack that we live with, a risk level we hope to avoid. But,
> not something that gives away the insides of the network to thugs and
> theives. No root shell and all that, which constitute a real threat, at
> least in my mind. Perhaps I'm missing something that has come up in
> recent years that redefines DDOS as something that is preventable and a
> potential for something other then a blip, however long lasting the
> attack, in service?
>
> Thanks,
>
> Ron DuFresne
>

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!

• Previous message: R. DuFresne: "RE: Limited vs full blown testing"
• In reply to: Wayne Wooley: "RE: Limited vs full blown testing"
• Next in thread: Alan Davies: "RE: Limited vs full blown testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Limited vs full blown testing ... >I'm trying to understand the significance of DDOS testing and importance. ... >vector of attack that we live with, a risk level we hope to avoid. ... Ron - I think the difference here is DoS vs. DDoS. ... throwing packets at a target to fill all available bandwidth and I can't see ... (Pen-Test) RE: Limited vs full blown testing ... He SPECIFICALLY excluded DDOS. ... about doing a DOS in a penetration test or vulnerability ... > We accept a brief excluding DoS attacks, ... vector of attack that we live with, a risk level we hope to avoid. ... (Pen-Test) Re: whats the best virus protection ... >> haven't they now been given the go ahead to lauch DOS attacks against ... > give the content industry the legal power to attack infringers (DoS'ing ... [quote from "Steal This File Sharing Book - What They Wont Tell You About ... Martin Spencer-Ford ... (alt.comp.anti-virus) RE: DOS ATTACK ... Subject: DOS ATTACK ... server which I guess is your problem. ... block traffic based on referrer. ... (Incidents) PHP and remote execution ... not been fix that allows execution of code on the hosting server. ... he installed a DoS client and initiated 2 DoS ... so this clued us in that it was a rather local attack. ... was not launched via an interactive web script. ... (Security-Basics)