Re: Controlled DoS



Hey Tibor

A DoS is essentially just overwhelming the capabilities of whatever service you're going after, so for web servers it's initiating a storm of connections, for SMB it can be attempting to login 1,000,000 times per second, etc... You just keep using the resources until they're exhausted preventing anyone else from using that service. With that in mind, doing a 'controlled' DoS is possible, just limit how many connections or attempts to exhaust the resources, and increase it until the service breaks.

Hope this helps...

-----------------------------------------------------------------
Adam Mooz
Adam.Mooz@xxxxxxxxx
http://www.AdamMooz.com

On 2010-03-10, at 6:52 AM, Tibor Kaskoto wrote:

Respected Members,



Is it possible to do a Denial of Service attack in a controlled way, e.g. in
a penetration testing scenario? How can you control/limit the possible
degradation of the client's services? Can you ask the client to corporate in
terms of IDS/IPS alerts, or any sign of service degradation? How can you
measure the success of the test if you are actually not allowed to break
anything? What is the approach to a 99.99% availability requirement network?





Thanks & Regards,





Tibor




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: CEPT
    ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • Re: web application scanner question
    ... Information Assurance Certification Review ... do a proper penetration test. ... IACRB CPT and CEPT certs require a full ... practical examination in order to become certified. ...
    (Pen-Test)
  • Re: Password Audit (AD Domain hashes)
    ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • CEPT
    ... I'm definately not in it for the money, but for the satisfaction of a successfull test. ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • RE: Malware URI list
    ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)