DDoS attacks are becoming more and more complex, but organizing a DDoS attack is very easy and low-cost. Attackers can perform a DDoS attack by simply entering the target address and render the organization’s systems dysfunctional for very low fees. The fact that DDoS attacks can be carried out so easily and cheaply poses a great risk for organizations that conduct their business over the internet. Organizations that are caught unprepared for this type of DDoS attack can be unable to provide service for hours or even days.

DDoS attacks pose a risk for all organizations that provide service over the internet. It is important to make the necessary preparations against such attacks, take technical and administrative measures, and continuously test the DDoS resistance of the systems to improve defense mechanisms.

In this report; DDoS, DDoS types, motivations behind DDoS attacks, major DDoS incidents experienced in history, the approach to protection from DDoS attacks and the importance of DDoS tests are explained at a high level.

Security Testing Services are the set of services where information systems are tested before cyber attackers on the three basic principles of information security, confidentiality, integrity and accessibility, regardless of the product, and existing security vulnerabilities are detected and solution suggestions are presented to eliminate these vulnerabilities.

Cyber ​​Security offers security testing services on topics such as internet, local network, web application, wireless network, social engineering, DDoS, mobile application, software source code analysis, continuous vulnerability analysis, malicious traffic analysis, red team.

Related studies have been prepared upon the demands of organizations from different sectors such as finance, public, transportation, e-commerce, energy and communication. If we go into the details of the Security Testing Services requested by the organizations;

Internet Security Tests: Examines the data of organizations that can be accessed over the internet.
Local Network Security Tests: Examines the data of organizations that can be accessed over their local networks.
Mobile & Web Application Security Tests: Examines the data of organizations that can be accessed over their web applications.
Web Service/API Security Tests: Examines the data of disruptions that may occur on the web services of organizations.
Wireless Network Security Tests: It examines the data of organizations’ wireless network access controls, configurations and user behaviors, password cracking tests, and testing attacks that can be carried out on the corporate network via accessed wireless networks.

The results obtained within these tests are labeled as urgent, critical, high and medium findings depending on their importance levels. The results obtained at the end of the relevant tests are labeled as 3% urgent, 16% critical, 59% high and 16% medium importance. If we look at the tests conducted under subheadings;

Internet Security Tests: 14% critical, 43% high and 43% medium severity findings,
Web Application Security Tests: 14% urgent, 17% critical, 33% high and 36% medium severity findings,
Web Service Security Tests: 66% high and 34% medium severity findings,
Local Network Security Tests: 5% critical, 94% high and 1% medium severity findings,
Wireless Network Security Tests: 66% high and 34% medium severity findings,
Mobile Application Security Tests: 4% urgent, 14% critical, 29% high and 53% medium severity findings,
Software Source Code Analysis: 53% critical, 22% high and 25% medium severity findings were obtained.
In the case of DDoS and load tests, the evaluation examines the success or failure of the system’s protection. In this context, if we examine the tests performed;

DDOS Tests: 39% successful, 61% unsuccessful
Web Application Load Tests: 50% successful, 50% unsuccessful.
Social Engineering Tests are testing services that are conducted on all employees of organizations or a selected portion of the sample method and aim to measure the awareness level of the personnel on information security by using various deception techniques. Findings were obtained using e-mail and telephone communication tools within the scope of this test. If we examine the tests conducted in this context;

E-mail: In the e-mail setup, a 3-stage test was organized as opening the e-mail, clicking on the link provided in the opened e-mail and filling out the form as a result of the relevant click. 30% of the users who received the e-mail opened the relevant e-mail, 90% of those who opened the mail clicked on the link and 14% of those who clicked on the link filled out the relevant form.
Phone: In the phone setup, people were asked for their passwords. 75% of the users reached by phone gave their passwords.
In addition to all this information, a zero-day vulnerability was found for a customer in the energy sector during a similar evaluation period. The CVSS v3.0 Base Score for the zero-day vulnerability found during penetration tests was stated as 8.1..