would this be ethical?

This topic contains 5 replies, has 5 voices, and was last updated by  timmedin 9 years, 9 months ago.

  • Author
    Posts
  • #4527
     jinwald12 
    Participant

    Now i know this may seem strange but bare with me. OK ,I’m wondering if this hypothetical situation would fall in the “ethical end of the spectrum”. the scenario is this. your doing a pen test on a large network with a server devoted just to running a IDS. would it be considered ethical to run a Denial of Service Attack to buy time to do the pen test? i know this doesn’t sound probable or smart but would it be ethical?

  • #28316
     UNIX 
    Participant

    Why don’t you ask your client? Though mostly DoS attacks are not welcomed.

  • #28317
     Kev 
    Participant

    If this is a legitimate pentest, then its all about the rules of engagement that you should have clearly defined and agreed upon in advance. This kind of technical consideration has nothing to do about ethics. Its not “cheating” and if the IDS is vulnerable then its vulnerable and needs to be exposed as such by either you being allowed to attack it or at least identity the vulnerability in a well detailed report.

    Most will not want you to take down a server if it disrupts the network so that’s why we usually have to be careful when we are doing any kind of exploit.  If its just running IDS and you feel taking it down wont be disruptive and such an attack is defined in writing, then by all means. Btw, just having it written out is not enough. You need to sit down with the powers that be and go over each point to make sure they clearly know what you might do and the possible problems that might occur.  It really doesn’t help you much after the fact to show the fine print in your agreement to the CEO, who never understood it any way, explaining your action if you accidentally knocked out the corporate network.

  • #28318
     jinwald12 
    Participant

    thanks you guys and this wasn’t for a pen test this was a hypothetical question

  • #28319
     bamed 
    Participant

    I think all of the answers above are technically correct, though I would throw in there that if you purposefully bring down a server simply to “buy time” than your motives make it unethical.  If you bring down the server to expose a vulnerability, that’s a whole different situation.  Of course, the client most likely won’t know your motives, and you’d probably get away with it, but it is still my opinion that in the scenario originally described, the pen-tester’s motives were unethical, thus the act would be unethical.

  • #28320
     timmedin 
    Participant

    It all depends on the “rules of engagement”.

    From practical experience, I haven’t seen an intentional DoS against productions systems be allowed.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?