Penetration Testing mailing list archives
Re: Question re: load balancers as a security device
From: "Robert E. Lee" <robert () outpost24 com>
Date: Tue, 29 Jan 2008 12:07:35 +0100
On Sat, 2008-01-26 at 22:07 +0800, Roland Dobbins wrote:
*What I have grown tired of* is the continuing lack of understanding of the concept of DDoS attacks being attacks against capacity and/or state, and that instantiating a lot of state in front of a host, either with a load-balancer or with a firewall, renders said host *more* vulnerable to the DDoS, not less.
I agree with you on this point. In my manual testing days, I have taken down entire data-centers by manipulating the bottleneck/choke-point. However, classifying devices as security or not security seems like a wasted effort. Each device has a function; if you have a goal, you can decide if the function brings you closer to, or further from that goal. For you metric minded people out there, the new Risk Assessment Values (RAV's) with the ISECOM's 3.x OSSTMM will really help you measure the benefits you get by adding or removing a device from your environment. You can use RAV's pre and post implementation to determine if the device/function brings any "security" benefit. Robert -- Robert E. Lee Chief Security Officer Outpost24 - One Step Ahead http://www.outpost24.com SE Phone: +46 455-61-2320 US Phone: +1 801-924-5902 email: robert () outpost24 com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Question re: load balancers as a security device dan . tesch (Jan 22)
- Re: Question re: load balancers as a security device Matthew Leeds (Jan 23)
- Re: Question re: load balancers as a security device Justin Ferguson (Jan 23)
- Re: Question re: load balancers as a security device kevin horvath (Jan 23)
- Re: Question re: load balancers as a security device Marcos Pitanga (Jan 23)
- Re: Question re: load balancers as a security device bugtraq (Jan 25)
- Re: Question re: load balancers as a security device Marcos Pitanga (Jan 23)
- Re: Question re: load balancers as a security device Roland Dobbins (Jan 23)
- Re: Question re: load balancers as a security device Timothy Shea (Jan 25)
- Re: Question re: load balancers as a security device Roland Dobbins (Jan 28)
- Re: Question re: load balancers as a security device Robert E. Lee (Jan 29)
- Re: Question re: load balancers as a security device Timothy Shea (Jan 25)
- Re: Question re: load balancers as a security device Sanjay R (Jan 23)
- Re: Question re: load balancers as a security device David Howe (Jan 25)
- Re: Question re: load balancers as a security device Dotzero (Jan 25)
- <Possible follow-ups>
- Re: Question re: load balancers as a security device David Glosser (Jan 23)