Client DDoS requests, ideas?

From: Erin Carroll <amoeba@xxxxxxxxxxxxxx>
Date: Mon, 14 Jul 2008 20:43:35 +0000 (UTC)

Pen-testers,

There have been times when, during the course of a pen-test for a client, a request is made for DoS/DDoS attacks against external systems & services. While there are resource exhaustion & other attack methods for certain services/systems, let's assume that Smurf-like attacks aren't viable. I'm curious for ideas or methods to simulate straight bandwidth DDoS attacks if the client pipe(s) are larger than your available pipe(s).

It's not like we all have huge botnets in our back pocket... Has anyone faced this situation before and if so, how did you manage?

--
Erin Carroll
Moderator, SecurityFocus pen-test list

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Follow-Ups:
- RE: Client DDoS requests, ideas?
  - From: Sergio Castro
- Re: Client DDoS requests, ideas?
  - From: Jon Kibler

Prev by Date: Re: Wired captive portal pen-test
Next by Date: Re: Wired captive portal pen-test
Previous by thread: Malicious Mozilla/Firefox/Thunderbird/Etc Extension
Next by thread: Re: Client DDoS requests, ideas?
Index(es):
- Date
- Thread

Relevant Pages

Re: Pen-Test and Social Engineering
... (Real hackers will not care if they shutdown or DOS a server.) ... Time of the attacks. ... I once wardialed a client who ... Audit your website security with Acunetix Web Vulnerability Scanner: ...
(Pen-Test)
Re: An argument AGAINST hosting your own email domain.
... the ISP for a client is currently hosting their email and we are bringing it ... the client should be receiving ... > system to 'auth attacks', NDR attacks, attacks which have yet to be ... get rid of your global mailboxes and set up ...
(microsoft.public.windows.server.sbs)
Re: Webservice Security
... internal attacks are more common than external apps. ... I always start web-service design under the premise that the protocol ... genuine client to find out. ... There are other scenarios relating to external attacks, ...
(microsoft.public.dotnet.languages.csharp)
Re: Client DDoS requests, ideas?
... This wasn't a question specific to any client. ... protocol & app attacks either weren't effective or the ... We're talking straight pipe vs. pipe DoS options. ... A mail server that uses spf could be attacked by creating HUGE spf ...
(Pen-Test)
Re: Pen-Test and Social Engineering
... War Games VS Hackers VS Bond VS Matrix?. ... Time of the attacks. ... I once wardialed a client who ... Audit your website security with Acunetix Web Vulnerability Scanner: ...
(Pen-Test)