9.8 DoS/DDoS Penetration Testing
Denial-of-Service (DoS) Attack Penetration Testing
- DoS attack should be incorporated into Pen testing plans to find out if the network server is susceptible to DoS attacks.
- DoS Pen Testing determines minimum thresholds for DoS attacks on a system, but the tester cannot ensure that the system is resistant to DoS attacks.
- The pen tester floods the target network with traffic, similar to hundreds of people repeatedly requesting the service in order to check the system stability.
- Pen testing results will help the administrators to determine and adopt suitable network perimeter security controls such as load balancer, IDS, IPS, Firewalls, etc.
- Test the web server using automated tools such as Webserver Stress Tool and JMeter for load capacity, server-side performance, locks, and other scalability issues.
- Scan the network using automated tools such as Nmap, GFI LanGuard, and Nessus to discover any systems that are vulnerable to DoS attacks.
- Flood the target with connection request packets using tools such as Dirt Jumper DDoS Toolkit, Dereil, HOIC, and DoS HTTP.
- Use a port flooding attack to flood the port and increase the CPU usage by maintaining all the connection requests on the ports under blockade. Use tools LOIC and Moihack Port Flooder to automate a port flooding attack.
- Use tools Mail Bomber to send a large number of emails to a target mail server.
- Fill the forms with arbitrary and lengthy entries.