would this be ethical?

Viewing 5 reply threads
  • Author
    Posts
    • #4527
      jinwald12
      Participant

      Now i know this may seem strange but bare with me. OK ,I’m wondering if this hypothetical situation would fall in the “ethical end of the spectrum”. the scenario is this. your doing a pen test on a large network with a server devoted just to running a IDS. would it be considered ethical to run a Denial of Service Attack to buy time to do the pen test? i know this doesn’t sound probable or smart but would it be ethical?

    • #28316
      UNIX
      Participant

      Why don’t you ask your client? Though mostly DoS attacks are not welcomed.

    • #28317
      Kev
      Participant

      If this is a legitimate pentest, then its all about the rules of engagement that you should have clearly defined and agreed upon in advance. This kind of technical consideration has nothing to do about ethics. Its not “cheating” and if the IDS is vulnerable then its vulnerable and needs to be exposed as such by either you being allowed to attack it or at least identity the vulnerability in a well detailed report.

      Most will not want you to take down a server if it disrupts the network so that’s why we usually have to be careful when we are doing any kind of exploit.  If its just running IDS and you feel taking it down wont be disruptive and such an attack is defined in writing, then by all means. Btw, just having it written out is not enough. You need to sit down with the powers that be and go over each point to make sure they clearly know what you might do and the possible problems that might occur.  It really doesn’t help you much after the fact to show the fine print in your agreement to the CEO, who never understood it any way, explaining your action if you accidentally knocked out the corporate network.

    • #28318
      jinwald12
      Participant

      thanks you guys and this wasn’t for a pen test this was a hypothetical question

    • #28319
      bamed
      Participant

      I think all of the answers above are technically correct, though I would throw in there that if you purposefully bring down a server simply to “buy time” than your motives make it unethical.  If you bring down the server to expose a vulnerability, that’s a whole different situation.  Of course, the client most likely won’t know your motives, and you’d probably get away with it, but it is still my opinion that in the scenario originally described, the pen-tester’s motives were unethical, thus the act would be unethical.

    • #28320
      timmedin
      Participant

      It all depends on the “rules of engagement”.

      From practical experience, I haven’t seen an intentional DoS against productions systems be allowed.

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?