nanog mailing list archives
Re: Ethical DDoS drone network
From: Roland Dobbins <rdobbins () cisco com>
Date: Tue, 6 Jan 2009 07:37:55 +0800
On Jan 6, 2009, at 6:52 AM, Jack Bates wrote:
(or tell you up front that you'll crater their equipment).
This is the AUP danger to which I was referring earlier. Also, note that the miscreants will attack intermediate systems such as routers they identify via tracerouting from multiple points to the victim - there's no way to test that externally without violating AUPs and/or various criminal statutes in multiple jurisdictions.
And then there are managed-CPE and hosting scenarios, which complicate matters further.
Tim's comments about understanding the performance envelopes of all the system/infrastructure elements are spot-on - that's a primary input into design criteria (or should be). With this knowledge in hand, one can test the most important things internally.
But prior to testing, one should ensure that the architecture and the element configurations are hardened with all the relevant BCPs, and scaled for capacity. The main purpose of the testing would be to verify correct implementation and ensure all the failure modes have been accounted for and ameliorated to the degree possible, and also as an opsec drill.
What I've seen over and over again is a desire to test because it's 'cool', but no desire to spend the time in the design and implementation (or re-implementation) phases to ensure that things are hardened in the first place, nor to spell out security policies and procedures, train, etc.
Actual *security* (as opposed to checklisting) consists of attention to lots of tedious details, drudgery and scut-work, involving the coordination of multiple groups and the attendant politics. It isn't 'sexy', it isn't 'cool', it isn't 'fun', but it pays off at 4AM on a holiday weekend.
Testing should become a priority only after one has done everything one knows to do within one's span of control, IMHO - and I've yet to run across this happy circumstance in any organization who've asked me about this kind testing, FWIW.
----------------------------------------------------------------------- Roland Dobbins <rdobbins () cisco com> // +852.9133.2844 mobile All behavior is economic in motivation and/or consequence.
Current thread:
- Re: Ethical DDoS drone network, (continued)
- Re: Ethical DDoS drone network Justin M. Streiner (Jan 04)
- Re: Ethical DDoS drone network John Kristoff (Jan 04)
- Re: Ethical DDoS drone network Gadi Evron (Jan 04)
- Re: Ethical DDoS drone network Zach (Jan 04)
- Re: Ethical DDoS drone network bmanning (Jan 04)
- Re: Ethical DDoS drone network James Hess (Jan 04)
- Re: Ethical DDoS drone network Gadi Evron (Jan 04)
- RE: Ethical DDoS drone network BATTLES, TIMOTHY A (TIM), ATTLABS (Jan 05)
- RE: Ethical DDoS drone network Edward B. DREGER (Jan 05)
- RE: Ethical DDoS drone network BATTLES, TIMOTHY A (TIM), ATTLABS (Jan 05)
- Re: Ethical DDoS drone network Jack Bates (Jan 05)
- Re: Ethical DDoS drone network Roland Dobbins (Jan 05)
- RE: Ethical DDoS drone network David Barak (Jan 05)
- Re: Ethical DDoS drone network Roland Dobbins (Jan 05)
- Re: Ethical DDoS drone network David Barak (Jan 05)
- Re: Ethical DDoS drone network Roland Dobbins (Jan 05)
- Re: Ethical DDoS drone network Jack Bates (Jan 05)
- Re: Ethical DDoS drone network Roland Dobbins (Jan 05)
- RE: Ethical DDoS drone network Edward B. DREGER (Jan 05)
- Re: Ethical DDoS drone network Bill Stewart (Jan 07)
- Re: Ethical DDoS drone network Justin Shore (Jan 06)
- Re: Ethical DDoS drone network Stephen Sprunk (Jan 06)
- Re: Ethical DDoS drone network Roland Dobbins (Jan 06)