Home page logo

nanog logo nanog mailing list archives

Re: Ethical DDoS drone network
From: David Barak <thegameiam () yahoo com>
Date: Mon, 5 Jan 2009 16:01:36 -0800 (PST)

-- On Mon, 1/5/09, Roland Dobbins <rdobbins () cisco com> wrote:

From: Roland Dobbins <rdobbins () cisco com>
Subject: Re: Ethical DDoS drone network
To: "NANOG list" <nanog () merit edu>
Date: Monday, January 5, 2009, 6:39 PM
On Jan 6, 2009, at 7:23 AM, David Barak wrote:

In my opinion, the real thing you can puzzle out of
this kind of testing is the occasional hidden dependency.

Yes - but if your lab accurately reflects production, you
can discover this kind of thing in the lab (and one ought to
already have a lab setup which reflects production for many
reasons having nothing to do with security).

I agree - having a lab of that type is absolutely ideal.  However, the ideal and the real diverge tremendously in large 
and mid-size enterprise networks, because most enterprises just don't have enough lab equipment to adequately model all 
of the possible scenarios, and including the cost of a lab in the rollout immediately doubles all capital expenditures. 
 The types of problems that the ultra-large DoS can ferret out are the kind which *don't* show up in anything smaller 
than a 1:1 or 1:2 scale model.

Consider for a moment a large retail chain, with several hundred or a couple thousand locations.  How big a lab should 
they have before deciding to roll out a new network something-or-other?  Should their lab be 1:10 scale?  A more 
realistic figure is that they'll consider themselves lucky to be between 1:50 and 1:100, and that lab is probably 
understaffed at best.  Having a dedicated lab manager is often seen as an expensive luxury, and many businesses don't 
have the margin to support it.

David Barak
Need Geek Rock?  Try The Franchise: 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]