6

My client wants to look into hiring a third party to perform penetration tests on the website that we're developing for them. The website is just a simple 3-month contest site where people can upload their photos, and the photos are judged by moderators for a winner. The site will be hosted on a Rackspace Cloud Server (virtual server). Their main concern, for whatever reason, is DDOS attacks. They asked that we find someone to do penetration testing for the site (manual, ie, not the automated kind).

My hunch is that penetration testing doesn't do much good against DDOS attacks. Is a penetration test overkill in this situation?

Ben Davis
  • 234
  • 2
  • 8
  • 4
    I'm curious why your client is worried about DDoS attacks. Is there a controversial aspect to the site? Is it likely to attract unwanted attention? Have they had this happen to them before or are they just paranoid after reading all the "Internet is doooooomed!" articles about Spamhaus and Cyberbunker recently? – Ladadadada Apr 03 '13 at 21:12
  • 1
    @Ladadadada Agreed, it very much sounds like they don't have a clue what they are talking about but have read the 'doom and gloom' stories out there. – Ryan Apr 03 '13 at 22:38
  • My biggest fear of a DDOS attack on a site site hosted by RackSpace cloud or Amazon cloud wouldn't be that the site would go down but of the bill that such an attack would rack up could get very very expensive. I would think it would be easy to blow several grand doing a load test on one of these services after all they are designed to scale very well and they do. – stoj Apr 03 '13 at 23:01
  • 4
    DDoS and penetration are different things. – Havenard Apr 04 '13 at 00:28
  • Sorry, I missed the replies on this. I didn't have my notifications turned on. To answer the first comment, the client is in an industry that is frequently targeted. Apparently they've experienced a DDOS attack in the past. – Ben Davis Apr 12 '13 at 16:13

5 Answers5

13

If your customer is concerned about DDoS then a standard Pen. test isn't the route to go. Leaving aside the question of whether it's a valid concern, one approach would be to look at doing load testing on the site. There are companies who will perform load testing to see how much traffic the site/server can handle before becoming unavailable. This would give you an idea of how it will react to heavy load. Obviously if you do that sort of testing, you should inform and get approval from Rackspace, so they don't misinterpret it as an attack. :)

That said, some DDoS attacks don't follow similar patterns to standard traffic (e.g. attacks which use DNS amplification). If that's a serious concern I'd recommend looking at DDoS protection services (e.g. CloudFlare/Akamai) as realistically there's not a lot you can do about that kind of thing at the server or even potentially the ISP level in the case of large attacks.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • To say that you can't do much on ISP level is wrong, or atleast depends on the ISP. Our ISP have several times blocked large DNS amplification pointed at us, at their border routers. Very effective. – sk0yern Apr 04 '13 at 09:36
  • sure some ISPs and some levels of DDoS attack, it's all relative. If you look at the recent ones that Spamhaus got, it seemed from that articles that any one ISP would have trouble handling that. – Rory McCune Apr 04 '13 at 15:10
10

if DDOS attacks are the concern, then Penetration tests will not help to prevent or detect it.

DDOS attacks, for the most part, do not do more damage than preventing users from accessing the website/service/etc. A DDOS can usually be seen when requests continuously flood the server faster than the server can respond. To prevent DDOS attacks, you would need to put in place some sort of monitoring system that will raise alarms if too many requests from a given IP are being received. In a nutshell.

That being said, for a 3-month contest site, I do not see why someone would want to disrupt the website, and penetration testing is always good to perform.

drunkenRabbit
  • 251
  • 1
  • 5
  • 1
    I'd be more worried about hijacking the site & contest results than DoS, myself. Though DoSing a site at a critical point in the contest could have similarly significant impacts. – Iszi Apr 03 '13 at 20:16
  • True. DDOS attacks could have horrible effects on the contest if users cannot upload / view / access the site. Definitely worth putting security measures in place if there is a possible threat or concern. – drunkenRabbit Apr 04 '13 at 15:23
9

In this specific situation, I wouldn't only say it's just not good, I'd even recommend not doing it.

DDoS attacks require a large number of attackers, and in your case, your client would be effectively paying someone to attack Rackspace's servers. Bad idea.

For more information about DDoS attacks, check this answer that illustrates the nature of the attack.

Community
  • 1
Adi
  • 43,808
  • 16
  • 135
  • 167
  • -1 Why in the world would you think that companies that perform load-testing do so using illegal botnets? – BlueRaja - Danny Pflughoeft Apr 03 '13 at 22:36
  • @BlueRaja-DannyPflughoeft You're correct. The way I presented the answer wasn't optimal. I've edited out the controversial part of the answer. Thanks for bringing this to my attention. – Adi Apr 03 '13 at 22:59
7

Security is nearly always a tradeoff. As the value assigned to security goes up, some other value goes down.

The first value you usually notice is profit. The more you spend on security the more security you get but the less profit you end up with.

Before spending any significant money on security (and remember, time is money), you should try some risk analysis.

Determine what X minutes of downtime would cost your clients. Determine what a complete server compromise or a partial compromise (such as a read-only database dump) would cost. These costs might include loss of reputation that extends beyond this three month promotion.

The next step is somewhat more difficult to get accurate numbers for. Try to guess how likely any of the above scenarios are. Talk to your clients about this because they may have received threats or extortion attempts that should be factored in to your guesses. You should probably include downtime due to non-malicious DDoS (otherwise known as going viral) because the mitigation strategy is similar and the fact that you are down just as you should be making the most money is particularly painful.

Once you know your expected losses, you can spend money and time trying to mitigate them.

DDoS and penetration testing are completely different things. For DDoS protection, the most sensible thing to do is to use a service designed to stop it. Companies like Verisign and Prolexic have services that do nothing for you apart from filter DDoS attacks. Companies like CloudFlare have a service that does caching and CDN distribution which makes your site faster and gives it more capacity, and also happens to include DDoS protection.

There are two things to do to prepare for compromise attempts:

  1. Secure your site as much as possible.
  2. Prepare for what should happen if/when you do get compromised.

You absolutely should try to do some simple penetration testing yourself. Grab one of the free automated web scanners and run it across your site before it goes live. This will find the easy vulnerabilities and allow you to fix them yourself before employing the services of the third-party penetration testers (if you determined they are worth the cost). They should find more than what the automated scanners did.

To preparing for a compromise, you should have:

  1. Enough monitoring to determine that you have been compromised. AIDE/Tripewire/OSSEC are good tools for this.
  2. Regular backups and a tested plan for how to re-install from them. It's important to test your backups. I can't tell you how many times I've seen the first test-restore-from-backup attempt fail.
  3. Enough logging to determine how the intruder got in. You have to know this and fix the vulnerability or he'll just get straight back in.
  4. Potentially spare machines that can be swapped in when the main one gets compromised. Sometimes you don't want to wipe the compromised machines because they hold the evidence of how you were compromised but you can't leave them online and you must keep the site up. That's what the spare machines are for.
Ladadadada
  • 5,163
  • 1
  • 24
  • 41
1

A penetration test won't help with DDoS resilience, because, to put it simply, DDoS doesn't pentrate your site. A pen-test is all about finding ways to overcome your site's security, while a DDoS simply overwhelms your site's capacity. To see how you'll fare against a DDoS attack, you need to do load testing, not penetration testing. Rackspace themselves actually have an article on load testing. If you do decide to load-test, you'll want to check with Rackspace that you're allowed to do that; it's technically a DDoS in itself, which is obviously against terms of service and stuff, so be sure to read that fine print.

anaximander
  • 1,531
  • 1
  • 10
  • 14