Denial-of-service (DoS) attacks are usually only EXAMINED if it seems to be possible to put a system's availability at risk with very SMALL effort. This can for example be a MISCONFIGURATION or a program error (say, if a system crashes when it gets sent an overly long request). Attacks like this will only be performed after an explicit AGREEMENT is provided, to verify if the attack is indeed possible.

On the other hand, attacks that try to saturate the bandwidth a company has at its disposal are usually not tested, as this is always possible for attackers with sufficient resources and will also affect third-party systems. Distributed denial-of-service attacks, that usually involve hundreds, if not thousands, of zombie systems (systems that were compromised and can now be REMOTELY controlled) cannot be simulated realistically. 

Denial-of-service (DoS) attacks are usually only examined if it seems to be possible to put a system's availability at risk with very small effort. This can for example be a misconfiguration or a program error (say, if a system crashes when it gets sent an overly long request). Attacks like this will only be performed after an explicit agreement is provided, to verify if the attack is indeed possible.

On the other hand, attacks that try to saturate the bandwidth a company has at its disposal are usually not tested, as this is always possible for attackers with sufficient resources and will also affect third-party systems. Distributed denial-of-service attacks, that usually involve hundreds, if not thousands, of zombie systems (systems that were compromised and can now be remotely controlled) cannot be simulated realistically.