RE: Limited vs full blown testing

From: Martin Murray-Brown (Martin.Murray-Brown_at_derivco.com)
Date: 06/28/04

  • Next message: Alberto Gonzalez: "Re: Hacking Demo and Test Lab" 
    Date: Mon, 28 Jun 2004 09:16:01 +0200
To: <pen-test@securityfocus.com>

    I noticed a couple of people talking about definitions... just so we're
    all on the same page, perhaps we should agree on the following:

    1) A 'DoS' attack is a Denial Of Service attack (and not the operating
    system ;) ). In other words, it's any attack that results in a denial of
    service... as Alan said, stealing your keyboard and mouse would be quite
    an effective DoS attack, especially if you don't have a spare :)

    2) 'DDoS' is 'Distributed Denial of Service'... an attack where multiple
    clients (often viral zombies) spam a particular node in some way,
    preventing that node from receiving valid requests. Assorted flavours
    include reflected (where the node is not spammed directly, but rather
    hit with response packets from spoofed IP's on the original packets...
    nasty).

    Therefore, a DDoS is a DoS, but a DoS isn't necessarily a DDoS. Groovy
    *snaps fingers*.

    In terms of threat... while possibly I missed the original point of this
    which restricted us to penetration tests, I still believe that any
    remotely complete test requires some form of DoS testing. In terms of
    damage to an online company's cash flow, DoS's can be devastating... I
    recommend that any proposed test that doesn't include denial of service
    testing ensures that the client is fully aware of the ramifications. You
    don't want big clients coming back and blaming you for not telling them
    about it when some Skiddie with a few hundred zombies is costing them a
    million a day...
    (I know I'm harping on about it and repeating what others like Alan have
    said in different words... but DoS's are becoming more common, and are
    being used in blackmails (check recent reports in the online betting
    industry).

    -----Original Message-----
    From: Alan Davies

    >I'm trying to understand the significance of DDOS testing and
    importance.
    >Thing is, if you can spew packets fast enough, or make enough
    connections
    >to consume the resources involved, you can take a site/serice down for
    at
    >least the duration of the attack, even pipes as large as those of
    >akami<sp?> were proven to be susceptable in recent days. It's a given
    >vector of attack that we live with, a risk level we hope to avoid.
    But,
    >not something that gives away the insides of the network to thugs and
    >theives. No root shell and all that, which constitute a real threat,
    at
    >least in my mind. Perhaps I'm missing something that has come up in
    >recent years that redefines DDOS as something that is preventable and a
    >potential for something other then a blip, however long lasting the
    >attack, in service?

    Ron - I think the difference here is DoS vs. DDoS. The latter is just
    throwing packets at a target to fill all available bandwidth and I can't
    see
    a lot of point in that during a pen test (in that it's not actually
    compromising anything).
     
    However a DoS can be anything that denies service - if I walk up to your
    desktop and steal your keyboard and mouse, I've DoS'd you by stopping
    you
    working ;) Seriously though - run Nessus with dangerous plugins on and
    you
    will likely DoS many parts of the clients network .. and not by
    overwhelming
    with packets. You may find that some routers/switches have been killed
    until a full power cycle is done and that some systems (especially
    older)
    have completely and irrecoverably locked up. It could even end up
    causing
    data loss.
     
    The fact of the matter is, if there are systems that can be knocked down
    like this by an exploit, then you would really want to know about it and
    try
    to prevent it. At the same time, if the client is aware of this and
    doesn't
    want to take the risk ... well they are the ones paying you and all you
    can
    do is tell them!
     
     
     
    P.S. One final reminder of how a DoS can be used in a penetration ....
    think of good old Kevin Mitnick! Without DoS he wouldn't have been able
    to
    break in the way he did.
     
     
     
    Best regards,
     
     
    Alan Davies.

  • Next message: Alberto Gonzalez: "Re: Hacking Demo and Test Lab"

    Relevant Pages

    • RE: Limited vs full blown testing
      ... >I'm trying to understand the significance of DDOS testing and importance. ... >vector of attack that we live with, a risk level we hope to avoid. ... Ron - I think the difference here is DoS vs. DDoS. ... throwing packets at a target to fill all available bandwidth and I can't see ...
      (Pen-Test)
    • Re: whats the best virus protection
      ... >> haven't they now been given the go ahead to lauch DOS attacks against ... > give the content industry the legal power to attack infringers (DoS'ing ... [quote from "Steal This File Sharing Book - What They Wont Tell You About ... Martin Spencer-Ford ...
      (alt.comp.anti-virus)
    • RE: DOS ATTACK
      ... Subject: DOS ATTACK ... server which I guess is your problem. ... block traffic based on referrer. ...
      (Incidents)
    • PHP and remote execution
      ... not been fix that allows execution of code on the hosting server. ... he installed a DoS client and initiated 2 DoS ... so this clued us in that it was a rather local attack. ... was not launched via an interactive web script. ...
      (Security-Basics)
    • RE: PHP and remote execution
      ... not been fix that allows execution of code on the hosting server. ... he installed a DoS client and initiated 2 DoS ... so this clued us in that it was a rather local attack. ... prospectus based upon the core principle concepts of security. ...
      (Security-Basics)