Ethical DDoS drone network
Roland Dobbins
rdobbins at cisco.com
Mon Jan 5 06:33:11 UTC 2009
On Jan 5, 2009, at 2:08 PM, Patrick W. Gilmore wrote:
> You want to 'attack' yourself, I do not see any problems. And I see
> lots of possible benefits.
This can be done internally using various traffic-generation and
exploit-testing tools (plenty of open-source and commercial ones
available). No need to build a 'botnet', literally - more of a
distributed test-harness
And it must be *kept* internal; using non-routable space is key, along
with ensuring that application-layer effects like recursive DNS
requests don't end up leaking and causing problems for others.
But before any testing is done on production systems (during
maintenance windows scheduled for this type of testing, naturally), it
should all be done on airgapped labs, first, IMHO.
And prior to any testing of this sort, it makes sense to review the
architecture(s), configuration(s), et. al. of the elements to be
tested in order to ensure they incorporate the relevant BCPs, and then
implement those which haven't yet been deployed, and *then* test.
In general, I've found that folks tend to get excited about things
like launching simulated attacks, setting up honeypots, and the like,
because it's viewed as 'cool' and fun; the reality is that in most
cases, analyzing and hardening the infrastructure and all
participating nodes/elements/apps/services is a far wiser use of time
and resources, even though it isn't nearly as entertaining.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // +852.9133.2844 mobile
All behavior is economic in motivation and/or consequence.
More information about the NANOG
mailing list