Stress Tests (DoS)

Can your application handle a surge of genuine users? Will it withstand a targeted attack attempting to make it unavailable? We offer scalable simulations of real user traffic as well as DoS and DDoS attack simulations.

Benefits

When assessing an application's security, it is standard practice to evaluate its availability as well. Overloading an application typically does not expose sensitive data to an attacker; however, if the application cannot serve its clients, the economic consequences can be severe.

That’s why it makes sense to test in advance how the application performs under heavy load. From our experience, even apparently well-configured (D)DoS protection can be misconfigured.

Process

Tests usually take place in the production environment during scheduled time slots. When required, we can run them outside regular working hours.

The simulated DoS/DDoS attack is executed as a series of short, several-minute probes that verify the effectiveness of specific techniques. The entire engagement typically takes a few hours.

During the assessment, we monitor outbound network traffic and the responsiveness of the tested services. Specifically, we monitor the response time when establishing TCP and TLS connections. For web applications, we also monitor the response time of HTTP(S) requests and the application response when accessed through a web browser. Graphs generated from this monitoring output are included in the final report.

Testing can also be performed interactively, with one of our specialists remaining in contact with your team and discussing every probe as it runs. This approach can help fine-tune your defences against specific attacks.

Simulated DoS and DDoS

A DoS (Denial of Service) attack aims to make a specific service unavailable. A DDoS (Distributed Denial of Service) attack does the same but from a large number of sources.

For testing, we have access to more than 1,000 of our own IPv4 addresses and tens of thousands of IPv6 addresses. Our testing servers have 4 Gbps of internet connectivity, allowing us to scale the simulated attack as needed.

Typical attack scenarios include:

• flooding the connection with packets (TCP SYN flood, UDP flood);

• opening a large number of application-level (usually HTTP/HTTPS) connections;

• overloading the application or database server with requests that require intensive processing.

If (D)DoS protection is in use, we attempt to identify its limits during the assessment by adjusting the test intensity so that the attacking addresses are not blocked, while the attack still maintains sufficient intensity to deny the availability of the tested services.

Where additional controls are used, such as rate limiting, caching, or CAPTCHA, we attempt to bypass them as part of the (D)DoS assessment. The objective is to generate the maximum possible load on the tested infrastructure while minimising the resource requirements on the attacker’s side.

Load simulation under normal conditions

While (D)DoS simulations focus on identifying weaknesses that an attacker could exploit, many applications face performance issues even under normal usage. The aim of this test is to realistically simulate everyday user behaviour using pre-prepared scenarios and determine how many users the application can handle.

For normal-traffic simulation, we use Apache JMeter and k6. We can also provide the prepared user-flow scenarios on request.

Other types of tests

This test can be combined with a web application penetration test or an API test, which can also help identify suitable targets for a simulated (D)DoS attack.

We also offer a wide range of other penetration testing services, see Penetration Testing – Overview.

Final Report

The results of the penetration test are documented in a final report, which contains details of the testing process, a description and classification of all the vulnerabilities found, and recommendations for mitigating the risks. We deliver the report securely in MS Word and PDF formats. The results can also be presented in a management presentation or a technical workshop.