Home page logo

nanog logo nanog mailing list archives

Re: Ethical DDoS drone network
From: Roland Dobbins <rdobbins () cisco com>
Date: Mon, 5 Jan 2009 14:33:11 +0800

On Jan 5, 2009, at 2:08 PM, Patrick W. Gilmore wrote:

You want to 'attack' yourself, I do not see any problems. And I see lots of possible benefits.

This can be done internally using various traffic-generation and exploit-testing tools (plenty of open-source and commercial ones available). No need to build a 'botnet', literally - more of a distributed test-harness

And it must be *kept* internal; using non-routable space is key, along with ensuring that application-layer effects like recursive DNS requests don't end up leaking and causing problems for others.

But before any testing is done on production systems (during maintenance windows scheduled for this type of testing, naturally), it should all be done on airgapped labs, first, IMHO.

And prior to any testing of this sort, it makes sense to review the architecture(s), configuration(s), et. al. of the elements to be tested in order to ensure they incorporate the relevant BCPs, and then implement those which haven't yet been deployed, and *then* test.

In general, I've found that folks tend to get excited about things like launching simulated attacks, setting up honeypots, and the like, because it's viewed as 'cool' and fun; the reality is that in most cases, analyzing and hardening the infrastructure and all participating nodes/elements/apps/services is a far wiser use of time and resources, even though it isn't nearly as entertaining.

Roland Dobbins <rdobbins () cisco com> // +852.9133.2844 mobile

     All behavior is economic in motivation and/or consequence.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]