Did a web app pentest.
Was debriefing a client when the developer responded, “After your attack the server came back online automatically. It was only down for 1 hour..”
“Only” and “One Hour”... Do. Not. Belong.... in the same sentence as each other when we’re discussing downtime after a Denial of Service attack resulting from a Form Flood produced by a malnourished Virtual Machine on a single laptop!!!!!!
::breathes heavily::
::types hashtags::
@tinker
I once made a pentest of an public accessable web application. The login form was vulnerable to SQL injection.
When I explained it to the customer the developer was asking why somebody would enter SQL as username or password as it makes no sense...
@kosebamse - Yeah :) A lot of good, honest folks out there who can’t understand why others would cause harm.
@kosebamse @tinker Once did a pentest. Pointed out the vulnerability I found was mitigated by the very limited account involved. Developer confirmed the bug, and wrote a patch to make the application always run as root.
@jsmall @tinker @kosebamse That's not a good prize!
@jsmall
WTF...Am I reading that correctly?
@dotpk @kosebamse @tinker Unfortunately I'm sure you are.
@tinker this is why ops frequently claps with one or zero hands, but rarely with two
@tinker more often than not when people come to me with "OMG WTF BBQ we're under DDoS!!1!one1eleven", I look at what's going on and it turns out, no, they're not under DDoS.
They are just getting some unexpectedly high traffic because you published something, perhaps 3 times more traffic than usual, and their PHP website hitting a MySQL server cannot handle more than 2 requests/second.
::breathes heavily::
*because they published something, obviously.
Nobody I know got "ddosed" because you personally published something, @tinker ! ;)
@rysiek - Lol! I have never directed my personal army to DDoS someone! I swear! Nor has anything I’ve written enraged anyone enough to go out and block traffic to a site for an hour or two until they calmed down. 🤣
@rysiek - Hahahaha!!!
@tinker to be serious, I assume that you can get down 90% of the websites with only one laptop. Most websites only have a few users a day, site with high traffic are not the normal part of the internet. Alot of people rent some cheap VPS or shared hosting, setting up Wordpress or another CMS. Resources of these systems are overloaded pretty fast.
As long as sites come back up without manual intervention, most people won't invest money in more power for their webserver.
@kmj - Most sites I’ve seen that automatically come back up, do so in a matter of minutes (rebooted server and application startup) not hours. I don’t get that part.
@tinker if it comes back up within minutes after the DDOS ends, most likely some admin was watching the server and rebooting, or some monitoring rebootet the server.
If no admin or monitoring it can take hours till somebopdy reboots or the server crashes itself for a hard reboot.
The part is, I assume 90% doesn't even care about it.
1: We’re not going to implement any remediation to the vulnerability.
0: That’s fine. Barring a fix, I’ll need you to sign this document that states that I clearly explained to you the business risk of this vulnerability, that you opt not to remediate it at this time, & that you Accept The Risk.
0: Further, I’ll need you to detail the course of action that you intend to take during an Incident Reponse action after this vulnerability is exploited.
1: Umm.. what are our options for remediation?