Ethical DDoS drone network

Roland Dobbins rdobbins at
Mon Jan 5 23:37:55 UTC 2009

On Jan 6, 2009, at 6:52 AM, Jack Bates wrote:

> (or tell you up front that you'll crater their equipment).

This is the AUP danger to which I was referring earlier.  Also, note  
that the miscreants will attack intermediate systems such as routers  
they identify via tracerouting from multiple points to the victim -  
there's no way to test that externally without violating AUPs and/or  
various criminal statutes in multiple jurisdictions.

And then there are managed-CPE and hosting scenarios, which complicate  
matters further.

Tim's comments about understanding the performance envelopes of all  
the system/infrastructure elements are spot-on - that's a primary  
input into design criteria (or should be).  With this knowledge in  
hand, one can test the most important things internally.

But prior to testing, one should ensure that the architecture and the  
element configurations are hardened with all the relevant BCPs, and  
scaled for capacity.  The main purpose of the testing would be to  
verify correct implementation and ensure all the failure modes have  
been accounted for and ameliorated to the degree possible, and also as  
an opsec drill.

What I've seen over and over again is a desire to test because it's  
'cool', but no desire to spend the time in the design and  
implementation (or re-implementation) phases to ensure that things are  
hardened in the first place, nor to spell out security policies and  
procedures, train, etc.

Actual *security* (as opposed to checklisting) consists of attention  
to lots of tedious details, drudgery and scut-work, involving the  
coordination of multiple groups and the attendant politics.  It isn't  
'sexy', it isn't 'cool', it isn't 'fun', but it pays off at 4AM on a  
holiday weekend.

Testing should become a priority only after one has done everything  
one knows to do within one's span of control, IMHO - and I've yet to  
run across this happy circumstance in any organization who've asked me  
about this kind testing, FWIW.

Roland Dobbins <rdobbins at> // +852.9133.2844 mobile

      All behavior is economic in motivation and/or consequence.

More information about the NANOG mailing list