aricoma logo avatar

#1 in Enterprise IT

DoS/Stress Tests

Are you sure that your servers can withstand the onslaught of visitors and won't let you down even under the heaviest load? We simulate heavy user traffic to see if the tested infrastructure won't fail even in extreme situations.

Find out how your systems respond under load

Attackers often damage companies' websites for key web applications by simply making them inaccessible. The longer a web application is unavailable to users, the greater the losses. As part of Denial of Service, we test selected services to ensure that these situations do not occur and that critical web applications continue to function even under unexpectedly high load.

Methodology and types of attacks

The introduction shows that a Denial of service (DoS) is a type of attack on Internet services or websites that aims to disable the target service and make it inaccessible for other users. We look for ways in which applications and services can fail. The most common cause may be request overwhelm or exploiting an error/vulnerability, which, while not enabling the attacker to control the service, enables the attacker to make it inaccessible. A standard set of Denial of Service tests will be included. This consists of the following modules:

SYN Flood
The attack targets the flooding of the target server or network with a large number of TCP SYN (synchronization) packets. This attack is based on exploiting a flaw in the TCP (Transmission Control Protocol) communication that is used to establish a connection between two devices on the network.

The normal procedure for establishing a TCP connection between a client and a server begins with the client sending a TCP SYN packet to the server. The server should then acknowledge receipt of this packet by sending a reply with a TCP SYN-ACK packet, to which the client should respond with an ACK acknowledgement. Only then the TCP connection is considered successfully established.

In a TCP SYN packet flooding attack, the attacker does not acknowledge the server's responses to its TCP SYN packets. Instead, it sends a large number of TCP SYN packets to the server, thus flooding its queue of active connections. The server waits for an acknowledgement (ACK) from the attacker, but it never arrives, leading to a buildup of inactive entries in the queue.

HTTPS Renegotiation DoS
This is a specific type of attack that targets the exhaustion of server resources due to the misuse of the HTTPS renegotiation feature. When an encrypted connection is established between the client and server, a process known as SSL/TLS handshake occurs. One step in this process is the ability to renegotiate the encryption parameters of the connection, enabling you to change keys or other encryption settings during an already established communication.

We perform the test by repeatedly initiating the renegotiation of the connection without fully completing it. This leaves the unfinished connection open on the server side. If this process is repeated with high frequency, the server will be overwhelmed with a large number of unfinished connections, causing system resources to be exhausted, and the server will become unavailable to legitimate users.

HTTP Flood
In this attack, we manually select, according to our experience, the HTTP request activity that takes the highest computing power on the backend servers - typically database queries during search, data retrieval, or user login.

We then repeat such HTTP request with high frequency, which can simulate multiple users working at the same time and thus use the full resources of the backend servers and cause their unavailability.

Buffer Overflow DoS
Sending exploits that can make the service inaccessible (if the target software is vulnerable). Here we use our up-to-date vulnerability scanner Nessus to scan for Buffer Overflow vulnerabilities. If such a vulnerability is found, we apply a suitable exploit against the target system, which causes it to crash.
 

The output is a comprehensive test report

The tests are performed from our company's infrastructure from a single network address, so it can be determined whether the services can be accessed by an attacker who does not have a botnet.

Our final report contains a detailed schedule, so it is possible to assign the monitoring outputs to specific tests. The application-level DoS tests, which are represented by the last two groups in the standard suite, include overall input validation, where e.g. unexpected input from a user causes the system or backend to crash, form upload tests (number of files, file size, space fill), cyclical execution of a function that is logged (space fill with logs), etc.
 

Benefits

  • You get the overall confidence that your servers can withstand the onslaught of visitors and won't let you down even under the heaviest load
  • You'll receive a final report that includes a detailed schedule so you can match monitoring outputs to specific tests.
  • We have over 30 years of experience in the field of security in both the Czech and Slovak Republics.
Share

DO NOT HESITATE TO
CONTACT US

Are you interested in more information or an offer for your specific situation?

By submitting the form, I declare that I have familiarized myself with the information on the processing of personal data in ARICOMA.