Ethical DDoS drone network

Roland Dobbins rdobbins at cisco.com
Mon Jan 5 00:33:11 CST 2009


On Jan 5, 2009, at 2:08 PM, Patrick W. Gilmore wrote:

> You want to 'attack' yourself, I do not see any problems.  And I see  
> lots of possible benefits.

This can be done internally using various traffic-generation and  
exploit-testing tools (plenty of open-source and commercial ones  
available).  No need to build a 'botnet', literally - more of a  
distributed test-harness

And it must be *kept* internal; using non-routable space is key, along  
with ensuring that application-layer effects like recursive DNS  
requests don't end up leaking and causing problems for others.

But before any testing is done on production systems (during  
maintenance windows scheduled for this type of testing, naturally), it  
should all be done on airgapped labs, first, IMHO.

And prior to any testing of this sort, it makes sense to review the  
architecture(s), configuration(s), et. al. of the elements to be  
tested in order to ensure they incorporate the relevant BCPs, and then  
implement those which haven't yet been deployed, and *then* test.

In general, I've found that folks tend to get excited about things  
like launching simulated attacks, setting up honeypots, and the like,  
because it's viewed as 'cool' and fun; the reality is that in most  
cases, analyzing and hardening the infrastructure and all  
participating nodes/elements/apps/services is a far wiser use of time  
and resources, even though it isn't nearly as entertaining.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // +852.9133.2844 mobile

      All behavior is economic in motivation and/or consequence.








More information about the NANOG mailing list