- This topic has 5 replies, 5 voices, and was last updated 11 years, 1 month ago by
timmedin.
-
AuthorPosts
-
-
January 2, 2010 at 6:50 pm #4527
jinwald12
ParticipantNow i know this may seem strange but bare with me. OK ,I’m wondering if this hypothetical situation would fall in the “ethical end of the spectrum”. the scenario is this. your doing a pen test on a large network with a server devoted just to running a IDS. would it be considered ethical to run a Denial of Service Attack to buy time to do the pen test? i know this doesn’t sound probable or smart but would it be ethical?
-
January 2, 2010 at 7:10 pm #28316
UNIX
ParticipantWhy don’t you ask your client? Though mostly DoS attacks are not welcomed.
-
January 2, 2010 at 7:20 pm #28317
Kev
ParticipantIf this is a legitimate pentest, then its all about the rules of engagement that you should have clearly defined and agreed upon in advance. This kind of technical consideration has nothing to do about ethics. Its not “cheating” and if the IDS is vulnerable then its vulnerable and needs to be exposed as such by either you being allowed to attack it or at least identity the vulnerability in a well detailed report.
Most will not want you to take down a server if it disrupts the network so that’s why we usually have to be careful when we are doing any kind of exploit. If its just running IDS and you feel taking it down wont be disruptive and such an attack is defined in writing, then by all means. Btw, just having it written out is not enough. You need to sit down with the powers that be and go over each point to make sure they clearly know what you might do and the possible problems that might occur. It really doesn’t help you much after the fact to show the fine print in your agreement to the CEO, who never understood it any way, explaining your action if you accidentally knocked out the corporate network.
-
January 3, 2010 at 3:13 am #28318
jinwald12
Participantthanks you guys and this wasn’t for a pen test this was a hypothetical question
-
January 14, 2010 at 4:55 am #28319
bamed
ParticipantI think all of the answers above are technically correct, though I would throw in there that if you purposefully bring down a server simply to “buy time” than your motives make it unethical. If you bring down the server to expose a vulnerability, that’s a whole different situation. Of course, the client most likely won’t know your motives, and you’d probably get away with it, but it is still my opinion that in the scenario originally described, the pen-tester’s motives were unethical, thus the act would be unethical.
-
February 1, 2010 at 2:25 am #28320
timmedin
ParticipantIt all depends on the “rules of engagement”.
From practical experience, I haven’t seen an intentional DoS against productions systems be allowed.
-
-
AuthorPosts
- You must be logged in to reply to this topic.