"Testing leads to failure, and failure leads to understanding."
HOW PREPARED ARE YOU FOR A DDoS ATTACK?
FIND OUT WITH OUR EXPERT, FULLY CONTROLLED, REAL WORLD SIMULATION. TALK TO US
In our everyday dealings with clients, we have encountered a number of cases where DDoS Stress Testing can be crucial in either choosing the right solution or simply finding out what is wrong with existing ones. Below are some examples of real world situations, in which we have been able to help. Get in touch with us to find out more or to discuss your needs.
TOP COMMERCIAL BANK
DDoS PROTECTION VENDOR TEST
The Bank had decided to test a number of vendors in order to choose the most appropriate DDoS Mitigation solution for their needs.
We prepared and executed an extensive test scenario with distributed international traffic to stress test the PoC’s of the vendors with magnitudes of around 40 Gbits on both transport and application layers.
PoC deployment DDoS stress testing revealed that not all vendors are equal, but in the end the best suited to the needs of the Bank vendor and solution were selected.
RECURRING APTITUDE TESTING
This Telco started bundling DDoS protection with internet provision service to their clients and wanted to ensure protection that was up-to-date with the everchanging attack treat landscape.
We started regular, monthly stress testing on the solution to ensure just that: end clients were protected from the newest attack vectors.
The resulting higher level of preparedness not only increased customer loyalty and brought in new clients. Regarding DDoS protection, the Telco is now ready for their regular yearly external audit at any time.
FAILED SOLUTION CHECK
Despite presently deployed DDoS protection solution, this e-commerce player suffered an attack that lead them to investigate into the reason for it. The protection vendor wanted to know the how’s and why’s as well.
Through deploying an extensive multi-gigabit attack scenario, we were able to replicate the situation under which the solution caved in.
The test report revealed weaknesses in both solution configuration and network architecture. Remedy measures were taken, so the DDoS mitigation solution could perform at its best.
ONLINE BETTING PORTAL
HIGH LOAD RESILIENCY TEST
While under loads generated from multiplayer contests, with hard-to-manage traffic peaks caused by prominent sport events, this betting portal was experiencing intermittent availability issues that lead to reputation and monetary loss.
We prepared a specific high load stress test that revealed minor, yet damaging flaws in the production software stack used for online betting.
Post remedy, it was decided to integrate all consecutive production environment releases with regular high load testing to ensure uninterrupted service in the future.
DDoS Stress Testing is a service designed to assess an organization’s preparedness for various DDoS attack scenarios and flood magnitudes.
The controlled tests are carried out against your IT infrastructure, at a prescheduled time and with real-time online support.
The result is a comprehensive report indicating network and server weaknesses as well as recommendations on implementing an effective DDoS mitigation solution.
DDoS is a devastating network attack weapon that is both cheap and effective. Performing DDoS simulations will help you achieve the following:
Address infrastructure and misconfiguration issues before attacks happen
Enhance incident response procedures
Understand how to control your DDoS mitigation solution to be most effective
Harden assets to be more resilient to DDoS attacks
Help you evaluate a mitigation vendor's strengths and weaknesses
Prevent panic when attacks do occur
The process starts with a verification and customization procedure. Real-time DDoS attack vectors are pointed at the organization’s IT public-facing infrastructure from the outside (real-life scenario) or in a closed environment (on-premise simulation).
DDoS attacks simulations are carried out on all applicable Layers of the OSI model in a fine-grained controlled manner with a “Stop” capability at all times.
The process is supervised by service provider’s support member and a representative of the tested organization.
PLACE IN THE SECURITY PROCESS
Confidentiality, integrity, and availability, also known as the CIA (or AIC triad for wanting to avoid association with a certain intelligence agency) triad, is at the heart of Information Security, working together to make sure your data and systems remain secure. It is wrong to assume one part of the triad is more important than another. Every IT system will require a different prioritization of the three, depending on the data, user community, and timeliness required for accessing the data. There are opposing forces to the triad concepts and they are disclosure, alteration, and destruction. Disclosure is when you are faced with unauthorized disclosure of information, alteration constitutes the unauthorized modification of data, and destruction is making systems unavailable.
AVAILABILITY keeps information available when needed. All systems must be usable (available) for business-as-usual operation. Typical availability attacks are the Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, whose aim is to deny service (or availability) of a system. Being prepared and informed of weaknesses in your system against DDoS attacks involves Stress Testing.
COVERAGE OF STRESS TESTING
Determining the readiness of your organization's IT infrastructure for DDoS attacks through stress testing must include all known attack vectors and possible sources. DDoS today is cheap and effective, thus the following characteristics of the testing method and approach must be in place:
- Attack vectors simulating floods generated by real known botnets
- Volumetric attacks with unlimited size and adjustable increments
- Service-centric selection of floods on Application layer
- Flexible attack timing and combined vector capability
The attack scope is very important and must (i.) be able to show at least fundamental weaknesses of the target servers and (ii.) comply with your security policies and strategy.
We have the expertise and capacity to employ a wide variety of attack vectors to include, but not limited to various HTTP/HTTPS methods and combinations (GET, POST, HEAD, PUT, DELETE, TRACE, CONNECT, OPTIONS, PATCH, etc.), various attacks on WebDAV protocol, SYN-ACK Floods, ACK or ACK-PUSH Floods, Fragmented ACK Floods, RST/FIN Floods, Same Source/Destination Floods (LAND Attack), Fake Session Attacks, UDP Floods, UDP Fragmentation, ICMP Floods, ICMP Fragmentation Floods, Ping Floods, TOS Floods, IP NULL/TCP NULL Attacks, Smurf/Fraggle Attacks, DNS Floods, NTP Floods, various Amplified (Reflective) attacks, Slow Session Attacks, Slow Read Attacks, Slowloris, HTTP Fragmentation, various types of Excessive Verb (HTTP/HTTPS GET Flood), Excessive Verb - Single Session, Multiple Verb - Single Requests, Recursive GET, Random Recursive GET, various Specially Crafted Packets, etc.
INTERNAL vs. EXTERNAL TESTING
In order to establish perimeter resilience to DDoS attacks, from a Risk Management point of view, a proper identification and listing of assets under threat is required and is followed by an assessment of the critical assets' vulnerability. Generally, DDoS Stress testing is performed either externally, or internally.
As the name suggests, the EXTERNAL approach simulates DDoS attack by deploying resources that are very close in their nature to a real-life attack, i.e. originating from the Internet. The attacking “botnet” is simulated from a stress testing cloud platform. The maximum volume of the simulated test attacks must be discussed with the client and agreed upon prior to starting the tests. Generally, a typical topology for external tests, including a sample legitimate client ( a machine used to perform availability tests), is implemented:
In contrast to external testing, INTERNAL DDoS STRESS TESTING means performing the simulation in a location within the perimeter of the client network. Flood traffic is generated internally and pointed to resources, which are usually part of a purpose-built test environment. Displayed below is a typical network topology for internal testing, where the Internet is simulated with a local network and includes segregated test targets and a simulated legitimate client PC:
IMPORTANT: When performing DDoS Stress testing, it is imperative that a detailed test plan is made available in advance and pre-approved by all parties involved. All tests must be performed in stages, with every stage lasting long enough to perform availability test and measure an approximate download speed from the target server by connecting to it from the simulated client PC. Tests must be designed in such a way that they can be stopped at any time and stage on client's request. It is highly recommended to not perform tests on production environment, as their behavior and possible aftereffects depend on specific target server settings.
TALK TO US
For organizations dependent on online presence, it is essential to not only be protected, but also know how well they are protected. By employing our DDoS simulation services, you will:
- Know what your resiliency thresholds and weaknesses are
- Improve your chances to withstand an otherwise devastating DDoS attack
- Receive a report containing discovered weakneses and recommendations
- Be thoroughly prepared and react calmly and professionally under DDoS attacks
Seven Security Group has the ability to simulate over 100 different DDoS test attack variants that broadly fall into the following attack categories:
- Volumetric - measured in Megabits/sec and/or Packets/sec
- Connection - measured in number of connections
- Application - measured in requests/sec and concurrency.
Based on your preferences, testing can be performed on two levels, both completely customizable to your organization's specifics:
1. Basic testing - involves launching a series of predefined attacks, ensuring your infrastructure can deal with the most common known Volumetric and Application Layer DDoS attack vectors, and
2. Advanced Persistent Threat Testing - for companies that have passed the Basic Testing and require 100% uptime. Similar in philosophy to penetration testing, this advanced level involves:
- Exploiting application or business logic flaws
- Bypassing Layer 7 mitigation with customized tools
- Testing behavioral algorithms for weaknesses
- Launching sequential and combined attacks