Denial of Service Testing

Denial of Service Testing

Introduction

Denial of Service (DoS) and Distributed Denial of Service (DDoS) is a prevalent class of attack which disrupts access to targeted applications or network infrastructure.

Unlike volumetric DoS attacks, application-layer DoS attacks are generally more targeted, and potentially harder to detect and mitigate quickly. This is primarily because application-layer DoS attacks don't usually rely on a large volume of traffic commonly associated with conventional DoS attacks.

While DDoS mitigation services like Cloudflare are essential at defending against volumetric attacks, they may not always be effective at preventing targeted application-layer DoS. To such an extent, organisations operating Internet-facing mission critical or latency-sensitive applications should undoubtedly be rigorously testing their application-layer defenses to validate and improve their DDoS mitigation strategy.

What do we cover?

Defending against application-layer DoS threats requires comprehensive DoS testing tailored specifically towards your applications, services and business goals.

The following are some common targets for Denial of Service testing we carry out for our customers:

  • HTTP-based services and RESTful API endpoints
  • WebSocket servers, especially those part of a WebRTC infrastructure
  • SIP-based systems such as phone systems, SIP trunks and SIP proxies
  • UDP-based protocols/systems
  • Custom and proprietary protocols

The following are some of the techniques that are typically employed in a tailored Denial of Service test:

  • Low and Slow (Slowloris style) DoS attacks
  • Large message attacks
  • Mutational fuzzing to find unexpected requests which lead to DoS
  • Distributed Denial of Service (DDoS) attacks
  • Socket exhaustion attacks
  • Memory leak abuses
  • CPU intensive attacks
  • Disk space exhaustion attacks
  • Decompression DoS attacks
  • XML entities DoS (Billion laughs style attack)
  • Regular expression DoS (ReDoS)

How does the process look like?

Most of our engagements follow these steps:

  1. First step is that you contact us, so that discussions on what you have in mind take place to identify the goals for the exercise and the scope
  2. With your help, we perform a scoping exercise to better understand the size of the project
  3. We provide you with our proposal which describes the goals, the scope, the methodology, deliverables, dates allocated for the project, terms and conditions and the price
  4. The actual work takes place during the allocated dates; your IT staff involved in the project often need to be available during the tests
  5. Upon completing our work, we provide you with our technical and executive reports in addition to any other deliverables
  6. Testing of the security fixes finally takes place, and the reports are updated to reflect results from the retest

What are the deliverables?

At the end of the project, we provide the following:

  • Executive report, which is an easy to follow 4 page document that includes:
    • information about the penetration test
    • list of the findings rated by severity
    • a summary of the results, giving our honest impression of the system
    • our suggestions on what needs to be done to address the vulnerabilities found and prevent similar ones in the future
  • Detailed technical report, which includes the following sections:
    • Introduction, which describes the scope, methodology and purpose of the work
    • Findings and recommendations, each categorized according to vulnerability severity
    • Methodology, which describes our tests to explain what was covered and how; this would include both tests that led to vulnerability discoveries, and also those that did not
  • Other material is often provided such as:
    • Dedicated exploit code and tools to reproduce the security issues found
    • Conference calls and online chats to brief the involved executives and technical teams on our findings
    • Assistance with addressing the vulnerabilities found
    • Follow-up tests once security fixes have been applied

What costs can one expect?

Cost is dependent on the size and complexity of the system on test and the level of rigour in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote.

Get in touch