Stress Tests (DoS)

Can your application handle a surge of genuine users? Will it withstand a targeted attack attempting to make it unavailable? We offer scalable simulations of real user traffic as well as DoS and DDoS attack simulations.

Benefits

When assessing an application's security, it is standard practice to evaluate its availability as well. Overloading an application typically does not expose sensitive data to an attacker; however, if the application cannot serve its clients, the economic consequences can be severe.

That’s why it makes sense to test in advance how the application performs under heavy load. From our experience, even apparently well-configured (D)DoS protection can be misconfigured.

Process

Tests usually take place in the production environment during scheduled time slots. When required, we can run them outside regular working hours.

The simulated DoS/DDoS attack is executed as a series of short, several-minute probes that verify the effectiveness of specific techniques. The entire engagement typically takes a few hours.

Testing can also be performed interactively, with one of our specialists remaining in contact with your team and discussing every probe as it runs. This approach can help fine-tune your defences against specific attacks.

Simulated DoS and DDoS

A DoS (Denial of Service) attack aims to make a specific service unavailable. A DDoS (Distributed Denial of Service) attack does the same but from a large number of sources.

For testing, we have access to more than 1,000 of our own IPv4 addresses and tens of thousands of IPv6 addresses. Our testing servers have 4 Gbps of internet connectivity, allowing us to scale the simulated attack as needed.

Typical attack scenarios include:

• flooding the connection with packets (TCP SYN flood, UDP flood);
• opening a large number of application-level (usually HTTP/HTTPS) connections;
• overloading the application or database server with requests that require intensive processing.

Load simulation under normal conditions

While (D)DoS simulations focus on identifying weaknesses that an attacker could exploit, many applications face performance issues even under normal usage. The aim of this test is to realistically simulate everyday user behaviour using pre-prepared scenarios and determine how many users the application can handle.

For normal-traffic simulation, we use Apache JMeter and k6. We can also provide the prepared user-flow scenarios on request.

Other types of tests

This test can be combined with a web application penetration test or an API test, which can also help identify suitable targets for a simulated (D)DoS attack.

We also offer a wide range of other penetration testing services, see Penetration Testing – Overview.

Final Report

The results of the penetration test are documented in a final report, which contains details of the testing process, a description and classification of all the vulnerabilities found, and recommendations for mitigating the risks. We deliver the report securely in MS Word and PDF formats. The results can also be presented in a management presentation or a technical workshop.