would this be ethical?

[jinwald12]

Now i know this may seem strange but bare with me. OK ,I’m wondering if this hypothetical situation would fall in the “ethical end of the spectrum”. the scenario is this. your doing a pen test on a large network with a server devoted just to running a IDS. would it be considered ethical to run a Denial of Service Attack to buy time to do the pen test? i know this doesn’t sound probable or smart but would it be ethical?

[UNIX]

Why don’t you ask your client? Though mostly DoS attacks are not welcomed.

[Kev]

If this is a legitimate pentest, then its all about the rules of engagement that you should have clearly defined and agreed upon in advance. This kind of technical consideration has nothing to do about ethics. Its not “cheating” and if the IDS is vulnerable then its vulnerable and needs to be exposed as such by either you being allowed to attack it or at least identity the vulnerability in a well detailed report.

Most will not want you to take down a server if it disrupts the network so that’s why we usually have to be careful when we are doing any kind of exploit.  If its just running IDS and you feel taking it down wont be disruptive and such an attack is defined in writing, then by all means. Btw, just having it written out is not enough. You need to sit down with the powers that be and go over each point to make sure they clearly know what you might do and the possible problems that might occur.  It really doesn’t help you much after the fact to show the fine print in your agreement to the CEO, who never understood it any way, explaining your action if you accidentally knocked out the corporate network.

[jinwald12]

thanks you guys and this wasn’t for a pen test this was a hypothetical question

[bamed]

I think all of the answers above are technically correct, though I would throw in there that if you purposefully bring down a server simply to “buy time” than your motives make it unethical.  If you bring down the server to expose a vulnerability, that’s a whole different situation.  Of course, the client most likely won’t know your motives, and you’d probably get away with it, but it is still my opinion that in the scenario originally described, the pen-tester’s motives were unethical, thus the act would be unethical.

[timmedin]

It all depends on the “rules of engagement”.

From practical experience, I haven’t seen an intentional DoS against productions systems be allowed.

[Author]

Posts