DDoS Testing Services
DDoS (distributed denial-of-service) testing checks whether a company’s IT infrastructure and applications can withstand numerous malicious requests from distributed sources undermining their availability and required performance.
In information security services since 2003, ScienceSoft helps our clients ensure their IT infrastructures and critical apps are resilient to diverse DDoS attacks.
When to Opt For DDoS Testing?
IT infrastructure or applications have never been DDoS tested before
-
Checking the availability and performance of your IT infrastructure and apps under the stress of an imitated true-to-life DDoS attack.
-
Searching for setup and configuration defects in your DDoS protection solutions, if they are in place, and fixing them.
Before and after implementing a DDoS protection solution
-
Finding vulnerabilities in your IT infrastructure and apps to knowingly select and fine-tune a DDoS mitigation solution.
-
Validating the effectiveness of implemented DDoS mitigation measures to ensure their correct configuration and the actual level of provided DDoS protection.
Before a critical app or infrastructure component is launched
- Checking the DDoS resistance of the application (e.g., a publicly-available website) that is to go live or a newly introduced infrastructure component (e.g., servers, networks, etc.) and their integrations.
|
|
Note: ScienceSoft recommends performing DDoS testing regularly (monthly, quarterly, or at least annually), if:
|
Our DDoS Testing Scope
ScienceSoft’s DDoS testing engineers develop custom DDoS attack scenarios and validate resilience to the following types of DDoS attacks:
Layer 3 and 4 attacks (Protocol layer attacks)
Such attacks target the transport and network layers of your infrastructure to consume the resources of the targeted server or communication equipment (e.g., firewalls, load balancers).
Vectors: SYN floods, fragmented packet attacks, Ping of Death, Smurf attack, etc.
Layer 7 attacks (Application layer attacks)
These attacks exploit applications by imitating the legitimate user behavior to crash the web server.
Vectors: low-and-slow attacks, GET/POST floods, WordPress HTTP/s floods, Slowloris attacks.
Volumetric attacks
These attacks typically target Layer 3 and 4, but are considered a separate type because of the high volume of malicious traffic involved.
Vectors: UDP floods, ICMP floods, IP/ICMP fragmentation, IPSec flood, reflection amplification attacks, etc.
Multi-vector and multi-layer attacks
Hybrid attacks aim at some/all of the mentioned infrastructure layers and combine a number of attack vectors (can include 15+ vectors) to increase the chances of bypassing the company’s DDoS protection.
Our DDoS testing experts can target:
Entire IT infrastructure
Networking infrastructure
IoT systems
Enterprise software ecosystem
Specific applications
Key servers
Our DDoS Testing Deliverables
ScienceSoft’s cybersecurity experts provide:
|
A DDoS test plan, including the list of the DDoS testing targets, applicable testing tools, types of attacks to be performed and their characteristics (e.g., type and volume of the simulated load, the number of simulated IPs and their geographies). |
A DDoS testing summary report with the metrics of the testing targets’ performance measured during the implemented attacks and the general assessment of their DDoS resistance. |
|
List of detected DDoS vulnerabilities prioritized based on their severity and potential business impact. |
Recommendations on how to eliminate the revealed vulnerabilities. |
Why ScienceSoft?
- 21 years in IT security services.
- A solid portfolio of security testing projects for healthcare, banking and financial services, governmental services, telecom, retail, and other industries.
- Certified Ethical Hackers on board.
- Recognized as Top Penetration Testing Company by Clutch.
- ScienceSoft is a 3-Year Champion in The Americas’ Fastest-Growing Companies Rating by the Financial Times.
- Customers’ data security ensured by ISO 27001 certification.
Companies That Work with Us and Why They Love It
We were under time pressure to get penetration testing performed as quickly as possible. When I reached out to ScienceSoft, they were immediately responsive to my inquiry, provided a very competitive quote quickly, and were able to schedule the testing shortly after our acceptance of the quote. ScienceSoft’s security testing team performed exceptionally well and gave us confidence that our application posed no serious vulnerabilities.
ScienceSoft's team provided the full package of penetration testing services for our web application. Thanks to ScienceSoft's high-quality services, we were able to locate and neutralize vulnerabilities and ensure the security of our customers' personal data, as well as protect our services from potential attacks.
I recommend ScienceSoft’s security testing services fully. They were very quick to reply to all our questions, they scheduled the test in just a few days. The testing itself was very well done, the results were clear and after one iteration of fixes, we passed the re-test.
Our Proprietary DDoS Testing Process
1
DoS testing
ScienceSoft’s security engineers analyze your IT infrastructure, outline its vulnerable points, and simulate DoS attacks from a single IP address.
DoS testing can be performed:
- ‘White-box’ – when cybersecurity engineers have the information presumably unknown to a real-life attacker (e.g., implemented cybersecurity measures, IT infrastructure configuration, tech stack, credentials). It typically enables test engineers to explore as many DoS vulnerabilities as possible.
- ‘Black-box’ – when security test engineers have only publicly available information. It helps simulate close-to-reality DoS testing conditions.
If the testing target survives DoS testing, the security engineers proceed with the next step.
2
DDoS assessment
ScienceSoft’s security experts carefully evaluate the testing target’s resistance to a simulated attack to minimize the possible negative impact on the target and the customer’s business continuity.
Security engineers perform DDoS testing only if the target is considered resilient enough.
3
DDoS testing
ScienceSoft security engineers opt for ‘white-box’ DDoS testing. This way, they can tailor the DDoS testing scope, scale, and vectors to safeguard the testing targets from an undesirable impact.
Our DDoS Testing Toolkit
DDoS testing tools
- GoldenEye
- HULK
- LOIC
- HOIC
- Cisco TRex
- Slowloris
Network scanning tools
- hping3
- Nmap
- Masscan
Benefits of DDoS Testing with ScienceSoft
Real-life DDoS attack simulations
ScienceSoft’s Certified Ethical Hackers develop custom hybrid DDoS testing scenarios for our clients to get the most true-to-life view of their IT infrastructure and applications’ behavior under a potential attack and check the effectiveness of their cybersecurity measures.
DDoS testing with end-users in focus
ScienceSoft’s professionals perform DDoS testing at the safest time for a customer (at night, during weekends, etc.). This way, the users of the tested IT infrastructure components and applications experience minimal to no downtime.
Minimized impact on a DDoS testing target
Our security engineers keep continuous contact with our clients’ IT infrastructure and application administrators to stop DDoS testing if it comes to unexpected issues.
Note: if the testing target’s outages and downtimes are totally unacceptable, ScienceSoft recommends ensuring the recovery servers are in place, setting up the application staging environment (for Layer 7 DDoS testing). If required, our DevOps engineers can promptly assist with the development of the apps staging environment.
Ensured business data security
ScienceSoft is a full-fledged provider of cybersecurity services. Our security engineers rely on an ISO 27001 certified information security management system and 24/7 in-house security monitoring to guarantee our clients’ data security.
Our Selected Cybersecurity Projects
DDoS and Pentesting of Web Applications for a Multinational Retail Chain
Multi-stage penetration and DDoS testing, including the validation of the apps’ resistance to:
- DoS and DDoS attacks.
- Cross-site scripting (XSS).
- SQL injections.
DoS Testing and Pentesting of the Network and Web Applications for a Mobile Operator
Security testing for a GSM operator with 5m+ subscribers, including the check for:
- Getting control over the network and database.
- Resilience to multi-vector DDoS attacks.
- SQL injection, spoofing, cross-site scripting, etc.
IT Infrastructure Security Assessment of an Asian Retail Bank
Online cybersecurity validation for a bank with 2.5m+ clients:
- Pentesting of 60 external IP addresses and the Customer’s network.
- Vulnerability assessment of multiple digital channels.
- Simulation of social engineering attacks.
IT Infrastructure Pentesting for a North American Payment Services and Products Company
Pentesting of web servers and apps, including the validation of their resilience to:
- Cross-site scripting (XSS).
- Man-in-the-middle exploits.
- Null byte injections, etc.
Find Your DDoS Testing Service Option
One-time DDoS testing
ScienceSoft’s cybersecurity engineers:
- Analyze your industry, business, and IT infrastructure specifics, plan a fitting set of DDoS testing activities accordingly.
- Develop custom DoS and DDoS testing scenarios.
- Select and configure the relevant testing tools.
- Perform DDoS assessment of the chosen testing targets.
- Carry out the single round of agreed DDoS testing activities.
- Provide a detailed DDoS test plan and report, set of recommendations on how to enhance your DDoS defense.
Recurrent DDoS testing
ScienceSoft’s cybersecurity engineers start with one-time DDoS testing and proceed with the following services after any significant change to your IT infrastructure (e.g., launching or removing infrastructure components, etc.) or critical applications (e.g., cloud migration, re-architecting, introducing third-party integrations, etc.):
- Analyze the changes in your infrastructure or applications to oversee the potential DDoS vulnerabilities and testing needs.
- Re-consider existing DDoS testing scenarios in connection with the introduced changes and develop new ones to optimize DDoS testing coverage.
- Perform DDoS testing focusing on both the vulnerabilities potentially arising from the infrastructure or apps’ changes and the ones detected during the previous DDoS testing.
Go For DDoS Testing to Outpace a Real DDoS Attack
Entrust your DDoS testing to ScienceSoft, to get:
