mailing list archives
Re: Ethical DDoS drone network
From: Roland Dobbins <rdobbins () cisco com>
Date: Tue, 6 Jan 2009 07:37:55 +0800
On Jan 6, 2009, at 6:52 AM, Jack Bates wrote:
(or tell you up front that you'll crater their equipment).
This is the AUP danger to which I was referring earlier. Also, note
that the miscreants will attack intermediate systems such as routers
they identify via tracerouting from multiple points to the victim -
there's no way to test that externally without violating AUPs and/or
various criminal statutes in multiple jurisdictions.
And then there are managed-CPE and hosting scenarios, which complicate
Tim's comments about understanding the performance envelopes of all
the system/infrastructure elements are spot-on - that's a primary
input into design criteria (or should be). With this knowledge in
hand, one can test the most important things internally.
But prior to testing, one should ensure that the architecture and the
element configurations are hardened with all the relevant BCPs, and
scaled for capacity. The main purpose of the testing would be to
verify correct implementation and ensure all the failure modes have
been accounted for and ameliorated to the degree possible, and also as
an opsec drill.
What I've seen over and over again is a desire to test because it's
'cool', but no desire to spend the time in the design and
implementation (or re-implementation) phases to ensure that things are
hardened in the first place, nor to spell out security policies and
procedures, train, etc.
Actual *security* (as opposed to checklisting) consists of attention
to lots of tedious details, drudgery and scut-work, involving the
coordination of multiple groups and the attendant politics. It isn't
'sexy', it isn't 'cool', it isn't 'fun', but it pays off at 4AM on a
Testing should become a priority only after one has done everything
one knows to do within one's span of control, IMHO - and I've yet to
run across this happy circumstance in any organization who've asked me
about this kind testing, FWIW.
Roland Dobbins <rdobbins () cisco com> // +852.9133.2844 mobile
All behavior is economic in motivation and/or consequence.