DoS Attack: Testing denial of service during a pentest?

Denial of service attacks (or DoS attacks) are regularly making headlines, as consequences can be important. These attacks aim to make a server, a network infrastructure or an application… unavailable.

DoS Attack, a server and website down

How to protect yourself? You can choose to test your robustness to denial of service attacks as part of a penetration testing.

What are we talking about: DoS attack? DDoS attack?

For a DoS as well as DDoS attack, there are two strategies of attacks:

  • Overloading equipment (bandwidth, firewall, IPS, load balancer, etc.)
  • Targeting a flaw in an application to make it unavailable.

A DoS or DDoS attack can last from some minutes to some days, depending on the resources of the attacker.

The specificity of DDoS attacks is that multiple machines are attacking simultaneously the target. Testing DDoS during a pentest has little interest for the company which has commissioned the audit, as it will always be possible to make inaccessible a service if the necessary resources are devoted to it (it is mainly a question of “means” from the attacking as from the attacked side).

On the contrary, conducting DoS attack tests enables to detect vulnerabilities in the configuration or application layer, for which remediation is possible. The correctives are generally related to the configuration or it might be required to modify a functionality.

What are the risks during a pentest with DoS tests?

In theory, risks are variable: it can go from a drop in performances until a server crash, in the most severe cases.

How to reduce risks during a pentest?

Excluding DoS attack tests would reduce risks during the pentest, but not in the event of a real attack by a malicious person! On the opposite, running DoS attack tests lowers the risks of denial of service attacks against the company. To make the tests acceptable during a security audit, some elements have to be taken into account:

  • Will the pentest be performed on the production environment or a test environment?
    • In case the pentest is run on the production, it is possible to run the DoS tests on the pre-production environment in order to reduce risks.
    • If the whole pentest is run on the production, it is possible to run the DoS tests on specific day/time slots, to limit inconvenience for the users.
  • The communication between the pentest team and the team of the client is crucial: the more reachable and prepared to react quickly the client’s team is, the more it will be possible to limit the impact of a potential impact.
  • Finally, it is to be kept in mind that a pentest carried out properly entails fewer risks than a real attack: there is continuous control of what is done. The DoS attacks are tested gradually: if the target service slows down quickly, no need to exaggerate the tests.
    Moreover, a test that would result in a denial of service is stopped immediately after having reached this point. This allows the service to finish its processing and the service would be inaccessible for only a minimal time.

Which types of DoS tests are conducted?

Vaadata tests common denial of service attacks, such as session saturation or packet flooding, and application denial, related to a functionality of the solution tested. For more information on this, the simplest is to contact us.

To conclude, you can test the resistance of a system or a platform to denial of service attacks during a security audit, and it is a choice that we recommend if the continuity of service is an important challenge for your business. The DoS tests enable to identify concrete improvements that are depending on you and not on your hosting.

To receive other articles: click here