DDoS testing: top five questions answered

Find answers to the top five questions about DDoS testing to understand its essence, value and collateral legal issues.

Security specialists have never placed DDoS testing high on the IT agenda, choosing between vulnerability assessment and penetration testing. However, things change. According to a Nexus Guard Threat Report, DDoS attack frequency increased 380% in Q1 2017. As a result, DDoS testing draws more and more attention of both IS professionals and their customers. Still, if you are not sure whether you need DDoS testing along with regular security testing, this article will help you to make the right decision. We answer the top 5 questions about DDoS testing explaining its purpose, value and potential pitfalls.

What is DDoS testing?

DDoS stands for “Distributed Denial of Service.” A DDoS attack is an attempt to render an online service unavailable by overwhelming it with traffic from multiple distributed sources. So, DDoS testing is a legitimate way to inspect the target network’s defense posture against such attacks via DDoS simulation.

Who needs DDoS testing most?

The need for DDoS testing depends heavily on how much your business relies on the online systems. If your organization must maintain 24/7 online presence, this type of security assessment is essential. The number of such businesses continues to mount up, as, according to Google 97% of consumers search for local businesses on the internet. Evidently, companies will flood the providers of information security services with DDoS testing requests.

Why perform DDoS testing?

What might happen to an online business if DDoS testing is not an item on its IT budget? When an actual attack happens, the company will have to adjust DDoS mitigation systems in an emergency mode. At best, they will cope with the attack within minutes, although it still will result in lost revenues. At worst, the DDoS attack will lead to substantial downtime and the loss of business opportunities.

Back in the 1990s, DDoS attacks intended merely to cut off the availability of an IT system or service. Today, DDoS has become a part of an APT (Advanced persistent threat). Hackers employ a killer combination of client-side exploits and DDoS attacks to penetrate networks and steal data. They use a DDoS attack as a distraction, as it happened to Sony in May 2011. While the company was trying to mitigate the consequences of a DDoS attack, it failed to detect the theft of more than 100 million customer records. A similar case happened to TalkTalk, a UK Telecom company. In October 2015, the company’s share price went down by 22% within a week. Such a drastic fall was caused by a cyberattack involving a theft of customer account information with a simultaneous DDoS attack on TalkTalk’s network services. The two companies suffered financial, as well as reputational losses, which could have been minimized if they had scheduled routine DDoS testing.

Due to the use of DDoS techniques in APT attacks, security experts advise combining penetration testing with DDoS testing. Penetration testing shows whether an attacker can exploit your network to gain access to the data. DDoS testing, in its turn, aims to render your network systems unavailable and check how much workload they can handle. The two types of security testing can be performed independently or simultaneously (as it is described in this case study, where penetration testing techniques are combined with attacks on a DNS server). In the latter case, penetration testing engineers may simulate an APT attack employing a DDoS attack as a distraction.

How is DDoS testing performed?

The very process of penetration testing can be divided into three stages: planning, controlled DDoS attacking, and reporting.

1. Planning

The purpose of this stage is to schedule the test, introduce a DDoS testing vendor to the structure of the customer’s network, define the targets and clear out all technical issues.

2. Attacking

A DDoS attack may target DNS servers, application servers, routers, firewalls and internet bandwidth. DDoS testing engineers employ a coordinated group of botnets sending traffic to the target to bring the system down.

Ethical Hacking Training – Resources (InfoSec)

Typically, DDoS testing lasts up to 90 minutes, which, of course, can vary, depending on the size of the network and other limitations. This time usually is enough to perform the tests.

DDoS testing combines the attacks of different intensity levels: low, medium and high. The intensity can be measured in pps (packets per second) or bps (bits per second)

Low-intensity attacks are designed to check if network monitoring systems can detect abnormal traffic patterns. Mid-intensity attacks demonstrate how the network’s resources are consumed with the intensity increase. High-intensity attacks are designed to detect vulnerable devices and applications in the customer’s network and estimate the exact size of an attack to render the network inoperable.

3. Reporting

At the final stage of DDoS testing, the customer gets a report that outlines the overall effectiveness of the existing DDoS mitigation measures, identified vulnerabilities, and recommendations on how to patch them.

What can go wrong with DDoS testing?

Before the test, companies should pay attention to the following issues that may land them in legal hot water.

  • Third party notification

Today, shared physical infrastructure (VLANs, VPNs, virtual servers, and clouds) becomes more and more common. Errors and misconfigurations during DDoS testing may cause the so-called collateral damage. This means that the testing procedure impaired third-party services running on the same network. Effective DDoS testing comprises a set of real-world attack scenarios, so customers should bear in mind that it may cause shutting down of all critical network services, irrespective of the owner. So, the company should first clearly state the elements of the network infrastructure under their authority. Then, they should notify all the network neighbors, the ISP (Internet Service Provider) or hosting company about the upcoming DDoS testing, as well as the MSSP (Managed Security Service Provider) in case they outsource DDoS mitigation. In the latter case, the MSSP may incur extra charges for conducting DDoS testing with another vendor.

  • Location of the vendor’s servers to launch the DDoS attack

To make DDoS testing closer to real-life attacks, the service providers distribute their servers (botnets) globally. It helps to check the effectiveness of filtering servers and security team’s attack response. This is another legal issue to be checked, as launching DDoS attacks is illegal in many parts of the world. So, apart from the guarantees that the attack vectors will be launched from dedicated servers with no compromised hosts, DDoS testing vendors should provide all the necessary documents testifying that the botnet’s geographical areas are legal.

On a final note

DDoS attacks proliferate at a high rate, and the trend does not seem to reverse. DDoS testing will enable your security team to estimate the potential damage these attacks may bring to the company’s network, detect vulnerable spots in DDoS mitigation system and understand how much time the security response to the attack will take. This information will help to strengthen the company’s security posture and minimize the downtime should a real DDoS attack happen.