DDoS (distributed denial of service) tests are a great way to identify any problems you may have in local or cloud-based mitigation. By simulating a real attack, you can see how malicious actors could infiltrate your systems and carry out a DDoS attack or perpetrate a data breach.
There are numerous different ways to launch a DDoS attack test; including using a commercial service and “DDoS for hire”, or open-source testing. The first involves a bespoke contractual service with pre-attack consultation to map the network environment, monitoring & analysis throughout the live test process, and a summary report with an interpretation of results at the end. By contrast, the DDoS for hire services is bought as an off-the-shelf product and launched and managed by the individual.
DDoS for hire sites sell to people wishing to launch a DDoS attack, usually costing less than £50. Open-source tools, such as ‘hping’ or Cisco’s ‘TRex’, can be classified as generators or traffic or packets, and have DDoS functionality, for example, a flood option.
Commercial DDoS Testing
Commercial DDoS testing involves hiring a service from a panel of experts. They will consult with the business prior to launch to scope out a test plan template, and then, using multiple bots from a variety of locations, create a DDoS attack on the target system via a testing platform portal.
The two parties are in constant communication for the full attack time, typically 90 minutes, and provide mid-attack analysis to keep the target updated. A time-stamped log of these observations is included for every test vector and is extremely useful in reconstructing exactly what occurred during a test. The attack can be stopped at any time or the intensity changed to achieve the desired result. After the attack, the experts provide interpretations of the results and can help advise on what mitigation might be needed in the future.
There are various advantages to this technique. For example, there is very little chance something will go wrong. There are experts in continuous contact with your business, meaning at any time they can stop the attack process if some damage is starting to occur.
Furthermore, it is an effective way to get the most out of the test. The post-attack summary provides key information on the next best steps, and how to protect yourself from a real attack in the future.
Although commercial DDoS tests could be one-off events helpful in shaping a customer’s approach to DDoS mitigation, they are most powerful when incorporated as a regular event in a company’s security diary. DDoS attack techniques are changing rapidly, and the customer’s increasing dependency on public cloud, or 3rd party networks outside the corporate perimeter may be increasing the overall risks associated with DDoS attacks. Regular DDoS tests can also allow a company to identify where detection and mitigation systems need tuning to protect legitimate traffic, or need reinforcement or increased capacity to deal with current threat levels. Even if compliance does not dictate regular DDoS testing, it can be a strong indicator to auditors, investors and customers that a company takes its responsibility to service availability very seriously
DDoS for Hire and Open-Source Testing
Open-source testing and DDoS for hire products allow you to conduct your own DDoS test, without having to pay out large sums of money. Open-source testing provides you with the code to run your own attack, whereas DDoS for hire sites launch it for you for as little as £11. In both cases, no other support is given; it is a product, not a service.
This technique has its advantages, such as being easily accessible. With open-source software, you can use it over and over again, and with the small price tag, the same applies for DDoS for hire software.
However, this method also has plenty of disadvantages. First and foremost, launching a DDoS attack is illegal in many countries, including the UK. A lack of authority could land you in serious trouble with the law, and potentially in prison.
The main disadvantage of the test is the safety of your system. Without the regulated guidelines of experts choosing the correct attack, the right intensity, the ability to stop; a test could be very dangerous and take your systems fully offline, potentially with lasting damage. Collateral damage may involve not only direct disruption of the targeted services but also consumption of resources on networks upstream of the target.
Furthermore, open-source tools used for testing usually have a smaller range of capabilities, and therefore cannot represent the broad range of attacks that could affect your system. They also typically run from only one location instead of multiple, meaning the attack is only coming from a few bots in a single server. This does not necessarily represent a ‘real-life’ DDoS attack.
So, Which is Better?
Clearly, each technique has its pros and cons. Open-source DDoS testing doesn’t hold the hefty price tag like the commercial types yet doesn’t provide any expertise about the test. You must rely on your own knowledge, which could pose risks to your systems (or other third party systems) during the test or in the future.
Despite DDoS for hire sites being legal, they are a common method for malicious actors to launch a DDoS attack on an unsuspecting target. Businesses must be careful when using these sites, and again must rely on their own expertise.
If you want to get the most information possible about your system, guided through by experts, and are prepared to pay, then commercial DDoS testing is definitely for you. However, if you’re looking for a more specific, cost-free solution, then opting for the open-source or DDoS for hire options may be better suited if it is legal in your country of residence and you accept the associated risks.
activereach provides commercial DDoS testing, with our team of experts helping you through the process every step of the way. If you would like to find out more about our DDoS testing services, please visit the page on our website, or call us on 0845 625 9025.