Ethical DDoS drone network
David Barak
thegameiam at yahoo.com
Tue Jan 6 00:01:36 UTC 2009
-- On Mon, 1/5/09, Roland Dobbins <rdobbins at cisco.com> wrote:
> From: Roland Dobbins <rdobbins at cisco.com>
> Subject: Re: Ethical DDoS drone network
> To: "NANOG list" <nanog at merit.edu>
> Date: Monday, January 5, 2009, 6:39 PM
> On Jan 6, 2009, at 7:23 AM, David Barak wrote:
>
> > In my opinion, the real thing you can puzzle out of
> this kind of testing is the occasional hidden dependency.
>
> Yes - but if your lab accurately reflects production, you
> can discover this kind of thing in the lab (and one ought to
> already have a lab setup which reflects production for many
> reasons having nothing to do with security).
I agree - having a lab of that type is absolutely ideal. However, the ideal and the real diverge tremendously in large and mid-size enterprise networks, because most enterprises just don't have enough lab equipment to adequately model all of the possible scenarios, and including the cost of a lab in the rollout immediately doubles all capital expenditures. The types of problems that the ultra-large DoS can ferret out are the kind which *don't* show up in anything smaller than a 1:1 or 1:2 scale model.
Consider for a moment a large retail chain, with several hundred or a couple thousand locations. How big a lab should they have before deciding to roll out a new network something-or-other? Should their lab be 1:10 scale? A more realistic figure is that they'll consider themselves lucky to be between 1:50 and 1:100, and that lab is probably understaffed at best. Having a dedicated lab manager is often seen as an expensive luxury, and many businesses don't have the margin to support it.
David Barak
Need Geek Rock? Try The Franchise:
http://www.listentothefranchise.com
More information about the NANOG
mailing list