If this is a legitimate pentest, then its all about the rules of engagement that you should have clearly defined and agreed upon in advance. This kind of technical consideration has nothing to do about ethics. Its not "cheating" and if the IDS is vulnerable then its vulnerable and needs to be exposed as such by either you being allowed to attack it or at least identity the vulnerability in a well detailed report.
Most will not want you to take down a server if it disrupts the network so that's why we usually have to be careful when we are doing any kind of exploit. If its just running IDS and you feel taking it down wont be disruptive and such an attack is defined in writing, then by all means. Btw, just having it written out is not enough. You need to sit down with the powers that be and go over each point to make sure they clearly know what you might do and the possible problems that might occur. It really doesn't help you much after the fact to show the fine print in your agreement to the CEO, who never understood it any way, explaining your action if you accidentally knocked out the corporate network.
Last edited by Kev
on Sat Jan 02, 2010 2:24 pm, edited 1 time in total.