> It's very difficult to run a denial-of-service attack without denying
> service, don't you think? Most of us who claim it doesn't do enough are
> the same ones who would claim it did too much for the bad guys if it were
> released with a more agressive suite of tests.
This is a very subtle point. There are some denial of service attacks
that are nearly impossible to test for under certain conditions without
going ahead and actually performing the attack. Something like the ping
of death or a UDP bomb can very likely fall into this category for a
network based check. (Another method of testing, logging into each
machine and discovering the specific operating system and kernel revision,
is a way to avoid performing the denial of service attack, but brings with
it its own set of problems and disadvantages).
A test for a syn flood attack is possible to check for remotely in such
a way that it has a very minimal impact on the service that you are
attempting to flood. The syn flood denial of service test that is a part
of ISS does perform an actual denial of service, but it only shuts down
the service for a split second before reversing the impact of the attack
and opening the service back up. That might fall into a very small
acceptable DoS attack you could test against a production system.
I think we can all agree though that it is far better for a system or
security administrator to test for vulnerabilities to these problems under
controlled timing and conditions than it is to figure out what machines
are vulnerable to attack when a hacker starts performing it 4am on a
sunday morning.
-Dave
--------------------------------+---------------------
David J. Meltzer | Email: davem @
iss .
net
Systems Engineer | Web: www.iss.net
Internet Security Systems, Inc. | Fax: (770)395-1972
References:
|
|
