Re: Ethical DDoS drone network
On Mon, Jan 5, 2009 at 4:11 PM, Roland Dobbins rdobb...@cisco.com wrote: In my experience, once one has an understanding of the performance envelopes and has built a lab which contains examples of the functional elements of the system (network infrastructure, servers, apps, databases, clients, et. al.), one can extrapolate pretty accurately well out to orders of magnitude. It's one of those things where the difference between theory and practice is smaller in theory than it is in practice, though... But yeah, sometimes things like load balancers fail, or routers run out of table space, or whatever. I've had enough enterprise customers worry about what will happen to their VPN sites if some neighborhood kid annoys his gamer buddies and gets a few Gbps of traffic to knock down their DSLAM and its upstream feeds or whatever. The problem is that many organizations don't do the above prior to freezing the design and initiating deployment. Back in the mid-90s I had one networking software development customer that had a room with 500 PCs on racks, and some switches that would let them dump groups of 50s of them together with whatever server they were testing. That was a lot more impressive back then when PCs were full-sized devices that needed keyboards and monitors (grouped on KVMs, at least), as opposed to being 1Us or blades or virtual machines. Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Ethical DDoS drone network
David Barak wrote: Consider for a moment a large retail chain, with several hundred or a couple thousand locations. How big a lab should they have before deciding to roll out a new network something-or-other? Should their lab be 1:10 scale? A more realistic figure is that they'll consider themselves lucky to be between 1:50 and 1:100, and that lab is probably understaffed at best. Having a dedicated lab manager is often seen as an expensive luxury, and many businesses don't have the margin to support it. At the very least they should have a complete mock location (for an IT perspective) in a lab. Identical copies of all local servers and a carbon copy of their official template network. This is how AOL does it. Every change is tested in the mock remote site before the official template is changed and the template is pushed out to all the production sites. Justin
Re: Ethical DDoS drone network
Justin Shore wrote: David Barak wrote: Consider for a moment a large retail chain, with several hundred or a couple thousand locations. How big a lab should they have before deciding to roll out a new network something-or-other? Should their lab be 1:10 scale? A more realistic figure is that they'll consider themselves lucky to be between 1:50 and 1:100, and that lab is probably understaffed at best. Having a dedicated lab manager is often seen as an expensive luxury, and many businesses don't have the margin to support it. At the very least they should have a complete mock location (for an IT perspective) in a lab. Identical copies of all local servers and a carbon copy of their official template network. This is how AOL does it. Every change is tested in the mock remote site before the official template is changed and the template is pushed out to all the production sites. That's useful for testing changes to the remote site itself, but it doesn't do anything for testing changes to the entire WAN. I've seen _many_ routing problems appear in large WANs that simply can't be replicated with fewer than a hundred or even a thousand routers. The vendors may have tools to simulate such, since they need them for their own QA, support, etc. but they rarely give them to customers because that'd be another product they have to support... S smime.p7s Description: S/MIME Cryptographic Signature
Re: Ethical DDoS drone network
--- On Tue, 1/6/09, Justin Shore jus...@justinshore.com wrote: David Barak wrote: Consider for a moment a large retail chain, with several hundred or a couple thousand locations. How big a lab should they have before deciding to roll out a new network something-or-other? Should their lab be 1:10 scale? A more realistic figure is that they'll consider themselves lucky to be between 1:50 and 1:100, and that lab is probably understaffed at best. Having a dedicated lab manager is often seen as an expensive luxury, and many businesses don't have the margin to support it. At the very least they should have a complete mock location (for an IT perspective) in a lab. Identical copies of all local servers and a carbon copy of their official template network. This is how AOL does it. Every change is tested in the mock remote site before the official template is changed and the template is pushed out to all the production sites. I don't disagree at all: that is a straightforward way to anticipate *most* problems. What is does not and cannot validate is whether there is a scaling issue, and this is what doing live testing does give you. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
Re: Ethical DDoS drone network
On Jan 7, 2009, at 1:05 AM, Stephen Sprunk wrote: I've seen _many_ routing problems appear in large WANs that simply can't be replicated with fewer than a hundred or even a thousand routers. Users can simulate many of these conditions themselves using various open-source and commercial tools, which've been available for many years. And again, it comes back to understanding the performance envelope of one's equipment, even without simulation. --- Roland Dobbins rdobb...@cisco.com // +852.9133.2844 mobile All behavior is economic in motivation and/or consequence.
Re: Ethical DDoS drone network
RD Date: Wed, 7 Jan 2009 08:50:46 +0800 RD From: Roland Dobbins RD I've seen _many_ routing problems appear in large WANs that simply RD can't be replicated with fewer than a hundred or even a thousand RD routers. RD Users can simulate many of these conditions themselves using various many != all It appears to be a question of what incremental benefit does one gain from real-world testing? RD open-source and commercial tools, which've been available for many RD years. I think that everyone agrees: No live testing until adequate lab testing has been performed. The disagreement seems to be over when/if live testing is necessary, and how much. Because it just wouldn't be a NANOG thread without analogies *grin*, I offer the following: drug certification, aircraft certification, automobile crash testing, database benchmarking. Even when a system is highly deterministic, such as a database, one still expects _real-world_ testing. Traffic flows on large networks are highly stochastic... and this includes OPNs, which I posit are futile to attempt to model. RD And again, it comes back to understanding the performance envelope RD of one's equipment, even without simulation. Very true. If one deploys an OSPF-happy network thinking that it scales O(n), one is in for a rude shock. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Ethical DDoS drone network
I propose that we create two Internets. One can be the testing Internet, and the other can be production. To ensure that both receive adequate treatment, they can trade places every few days. If something breaks, it can be moved from production to testing. The detection of hyperbole, sarcasm, and mathematical invalidity is left as an exercise to the reader. ;-) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Ethical DDoS drone network
On Jan 7, 2009, at 9:40 AM, Edward B. DREGER wrote: Even when a system is highly deterministic, such as a database, one still expects _real-world_ testing. Traffic flows on large networks are highly stochastic... and this includes OPNs, which I posit are futile to attempt to model. Sure. In many cases, it seems that there's a lot of talk about testing, after-the-fact, with relatively little analysis performed prior-to-the- fact to inform the design, including baseline security requirements. When one has a network/system in which the basic security BCPs haven't been implemented, it makes little sense to expend scarce resources testing when those resources could be better-employed hardening and increasing the resiliency and robustness of said network/system. --- Roland Dobbins rdobb...@cisco.com // +852.9133.2844 mobile All behavior is economic in motivation and/or consequence.
Re: Ethical DDoS drone network
RD Date: Wed, 7 Jan 2009 09:48:16 +0800 RD From: Roland Dobbins RD When one has a network/system in which the basic security BCPs RD haven't been implemented, it makes little sense to expend scarce RD resources testing when those resources could be better-employed RD hardening and increasing the resiliency and robustness of said RD network/system. Very true. Hey, it really _did_ break! is hardly a useful approach. Your post awakened my inner cynic: Perhaps there are people who look to stress-testing OPNs in hopes that the weakest link is elsewhere, so that they may point the proverbial finger instead of fixing internal problems. #include cost-shifting/patchining,smtp-auth,spf,urpf,et-cetera.h Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Ethical DDoS drone network
On Mon, 05 Jan 2009 06:53:49 EST, Patrick W. Gilmore said: Knowing whether the systems - internal _and_ external - can handle a certain load (and figuring out why not, then fixing it) is vital to many people / companies / applications. Despite the rhetoric here, it is simply not possible to test that in a lab. And I guarantee if you do not test it, there _will_ be unexpected problems when Bad Stuff happens. Amen to that, brother. Trust me, you definitely want to do your load testing at a 2AM (or other usually dead time) of your own choosing, when you have the ability to pull the switch on the test almost instantly if it gets out of hand. The *last* think you want is to get a surprise slashdotting of your web servers while the police have your entire site under lockdown. Been there, done that, it's not fun. pgppPgLllT8di.pgp Description: PGP signature
Re: Ethical DDoS drone network
PWG Date: Mon, 5 Jan 2009 06:53:49 -0500 PWG From: Patrick W. Gilmore PWG But back to your original point, how can you tell it is shit data? AFAIK, RFC 3514 is the only standards document that has addressed this. I have yet to see it implemented. ;-) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Ethical DDoS drone network
RD Date: Mon, 5 Jan 2009 15:54:50 +0800 RD From: Roland Dobbins RD AUPs are a big issue, here.. And AUPs [theoretically] set forth definitions. Of course, there exist colo providers with unlimited 10 Gbps bandwidth whose AUPs read do not use 'too much' bandwith or we will get angry, thus introducing ambiguity regarding just _for what_ one is paying... Perhaps abuse is best _operationally_ defined as something that angers someone enough that it's at least sort of likely to cost you some money -- and maybe even a lot? Were the definition clear, I doubt there'd be such a long NANOG thread. (Yes, I'm feeling optimistic today.) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Ethical DDoS drone network
FWIW, I'm primarily concerned about testing PPS loads and not brute force bandwidth. Best regards, Jeff On Mon, Jan 5, 2009 at 12:51 PM, Edward B. DREGER eddy+public+s...@noc.everquick.net wrote: RD Date: Mon, 5 Jan 2009 15:54:50 +0800 RD From: Roland Dobbins RD AUPs are a big issue, here.. And AUPs [theoretically] set forth definitions. Of course, there exist colo providers with unlimited 10 Gbps bandwidth whose AUPs read do not use 'too much' bandwith or we will get angry, thus introducing ambiguity regarding just _for what_ one is paying... Perhaps abuse is best _operationally_ defined as something that angers someone enough that it's at least sort of likely to cost you some money -- and maybe even a lot? Were the definition clear, I doubt there'd be such a long NANOG thread. (Yes, I'm feeling optimistic today.) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
RE: Ethical DDoS drone network
TAB Date: Mon, 5 Jan 2009 11:54:06 -0500 TAB From: BATTLES, TIMOTHY A (TIM), ATTLABS TAB assuming your somewhat scaled, I would think this could all be done TAB in the lab. And end up with a network that works in the lab. :-) - bw * delay - effects of flow caching, where applicable - jitter (esp. under load) - packet dups and loss (esp. under load) - packet reordering and assiciated side-effects - upstream/sidestream throughput (esp. under load) No, reality is far more complex. Some things do not lend themselves to _a priori_ models, nor even TFAR generalizations. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
RE: Ethical DDoS drone network
You could just troll people on IRC until you get DDOS'd. All the fun, none of the work! -Original Message- From: Jeffrey Lyon [mailto:jeffrey.l...@blacklotus.net] Sent: Monday, January 05, 2009 11:54 AM To: na...@merit.edu Subject: Re: Ethical DDoS drone network FWIW, I'm primarily concerned about testing PPS loads and not brute force bandwidth. Best regards, Jeff On Mon, Jan 5, 2009 at 12:51 PM, Edward B. DREGER eddy+public+s...@noc.everquick.net wrote: RD Date: Mon, 5 Jan 2009 15:54:50 +0800 RD From: Roland Dobbins RD AUPs are a big issue, here.. And AUPs [theoretically] set forth definitions. Of course, there exist colo providers with unlimited 10 Gbps bandwidth whose AUPs read do not use 'too much' bandwith or we will get angry, thus introducing ambiguity regarding just _for what_ one is paying... Perhaps abuse is best _operationally_ defined as something that angers someone enough that it's at least sort of likely to cost you some money -- and maybe even a lot? Were the definition clear, I doubt there'd be such a long NANOG thread. (Yes, I'm feeling optimistic today.) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Re: Ethical DDoS drone network
JL Date: Mon, 5 Jan 2009 12:54:24 -0500 JL From: Jeffrey Lyon JL FWIW, I'm primarily concerned about testing PPS loads and not brute JL force bandwidth. Which underscores my point: x bps with minimally-sized packets is even higher pps than x bps with normal-sized packets, for any non-minimal value of normal. Thus, the potential for breaking something that scales based on pps instead of bps _increases_ under such testing. I've not [yet] seen an AUP that reads customer shall maintain a minimum packet size of 400 bytes (combined IP header and payload) averaged over a moving one-hour window. ;-) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
RE: Ethical DDoS drone network
Until you get hit at 8GB/s and then don't have a nice 'off' button.. -r -Original Message- From: Michael Gazzerro [mailto:mike.gazze...@nobistech.net] Sent: Monday, January 05, 2009 1:14 PM To: 'Jeffrey Lyon'; na...@merit.edu Subject: RE: Ethical DDoS drone network You could just troll people on IRC until you get DDOS'd. All the fun, none of the work! -Original Message- From: Jeffrey Lyon [mailto:jeffrey.l...@blacklotus.net] Sent: Monday, January 05, 2009 11:54 AM To: na...@merit.edu Subject: Re: Ethical DDoS drone network FWIW, I'm primarily concerned about testing PPS loads and not brute force bandwidth. Best regards, Jeff On Mon, Jan 5, 2009 at 12:51 PM, Edward B. DREGER eddy+public+s...@noc.everquick.net wrote: RD Date: Mon, 5 Jan 2009 15:54:50 +0800 RD From: Roland Dobbins RD AUPs are a big issue, here.. And AUPs [theoretically] set forth definitions. Of course, there exist colo providers with unlimited 10 Gbps bandwidth whose AUPs read do not use 'too much' bandwith or we will get angry, thus introducing ambiguity regarding just _for what_ one is paying... Perhaps abuse is best _operationally_ defined as something that angers someone enough that it's at least sort of likely to cost you some money -- and maybe even a lot? Were the definition clear, I doubt there'd be such a long NANOG thread. (Yes, I'm feeling optimistic today.) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Re: Ethical DDoS drone network
Ray Corbin wrote: Until you get hit at 8GB/s and then don't have a nice 'off' button.. However, it would very accurately simulate a real-world attack where you don't get to have an off button. ~Seth
RE: Ethical DDoS drone network
But I don't think his boss would be too happy when their network is up and down for days because he irk'ed a scriptkiddie on irc just to test their limits :) -r -Original Message- From: Seth Mattinen [mailto:se...@rollernet.us] Sent: Monday, January 05, 2009 1:36 PM To: na...@merit.edu Subject: Re: Ethical DDoS drone network Ray Corbin wrote: Until you get hit at 8GB/s and then don't have a nice 'off' button.. However, it would very accurately simulate a real-world attack where you don't get to have an off button. ~Seth
RE: Ethical DDoS drone network
There are some assumptions here. First are you considering volumetric DDOS attacks? Second, if you plan on harvesting wild bots and using them to serve your purpose then I don't see how this can be ethical unless they are just clients from your own network making it less distributed. You would then have to have this in your AUP allowing you to do this. Hmm, I really don't know what you would gain by this. Not knowing what your network looks like...but assuming your somewhat scaled, I would think this could all be done in the lab. -Original Message- From: Jeffrey Lyon [mailto:jeffrey.l...@blacklotus.net] Sent: Sunday, January 04, 2009 8:07 PM To: na...@merit.edu Subject: Ethical DDoS drone network Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? How does your company approach this dilemma? Our company for instance has always relied on outside attacks to spot check our security and i'm beginning to think there may be a more user friendly alternative. Thoughts? -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Re: Ethical DDoS drone network
On Jan 5, 2009, at 3:39 AM, Gadi Evron wrote: On Sun, 4 Jan 2009, kris foster wrote: On Jan 4, 2009, at 11:11 PM, Gadi Evron wrote: On Mon, 5 Jan 2009, Patrick W. Gilmore wrote: On Jan 5, 2009, at 1:33 AM, Roland Dobbins wrote: On Jan 5, 2009, at 2:08 PM, Patrick W. Gilmore wrote: I can think of several instances where it _must_ be external. For instance, as I said before, knowing which intermediate networks are incapable of handling the additional load is useful information. But before any testing is done on production systems (during maintenance windows scheduled for this type of testing, naturally), it should all be done on airgapped labs, first, IMHO. Without arguing that point (and there are lots of scenarios where that is not at all necessary, IMHO), it does not change the fact that external testing can be extremely useful after air-gap testing. Fine test it by simulation on you or the transit end of the pipes. Do not transmit your test sh?t data across the `net. How do you propose a model is built for the simulation if you can't collect data from the real world? This is not sh?t data. Performance testing across networks is very real and happening now. The more knowledge I have of a path the better decisions I can make about that path. I am sorry for joking, I was sure we were talking about DDoS testing? I've been called by more one provider because I was DDoS'ing someone with traffic that someone requested. Strange how the word DDoS has morphed over time. But back to your original point, how can you tell it is shit data? DDoSes frequently use valid requests or even full connections. If I send my web server port 80 SYNs, why would you complain? Knowing whether the systems - internal _and_ external - can handle a certain load (and figuring out why not, then fixing it) is vital to many people / companies / applications. Despite the rhetoric here, it is simply not possible to test that in a lab. And I guarantee if you do not test it, there _will_ be unexpected problems when Bad Stuff happens. As mentioned before, Reality Land is not clean and structured. -- TTFN, patrick
Re: Ethical DDoS drone network
On Jan 5, 2009, at 2:54 AM, Roland Dobbins wrote: On Jan 5, 2009, at 3:04 PM, Patrick W. Gilmore wrote: I can think of several instances where it _must_ be external. For instance, as I said before, knowing which intermediate networks are incapable of handling the additional load is useful information. AUPs are a big issue, here.. No, they are not. AUPs do not stop me from sending traffic from my host to my host across links I am paying for. Without arguing that point (and there are lots of scenarios where that is not at all necessary, IMHO), it does not change the fact that external testing can be extremely useful after air-gap testing. Agree completely. You live in a very structured world. The idea is to instantiate structure in order to reduce the chaos. ; Most people live in reality-land where there are too many variables to control, and not only is it impossible guarantee that everything involved is strict to BCP, but the opposite is almost certainly true. Nothing's perfect, but one must do the basics before moving on to more advanced things. The low-hanging fruit, as it were (and of course, this is where scale becomes a major obstacle, in many cases; the fruit may be hanging low to the ground, but there can be a *lot* of it to pick). Perhaps we are miscommunicating. You seem to think I am saying people should test externally before they know whether their internal systems work. Of course that is a silly idea. That does not invalidate the need for external testing. Nor does it guarantee everything will be BCP compliant, especially since everything includes things outside your control. -- TTFN, patrick
RE: Ethical DDoS drone network
FWIW, I'm primarily concerned about testing PPS loads and not brute force bandwidth. Simple solution. Write some DDoS software that folks can install on their own machines. Make its so that the software is only triggered by commands from a device under the same administrative control, i.e. it uses a shared secret that is set up when folks install the software. So far there are two pieces of software, one pieces does the DDoSing, and the other piece controls it. You now need a third bit of software that sends DDoS requests to the controllers, and the controllers don't actually act upon such requests, but queue them until their administrators OK the DDoSing. Think of it a bit like a moderated mailing list. If you product that set of software, I'll bet that a lot of folks would be interested in working together to do DDoS stress testing of each others networks, at times of their own choosing. --Michael Dillon
RE: Ethical DDoS drone network
True, real world events differ, but so do denial of service attacks. Distribution in the network, PPS, BPS, Packet Type, Packet Size, etc.. Etc.. Etc.. So really I don't get the point either in staging a real life do it yourself test. So, you put pieces of your network in jeopardy night after night during maintenance windows to determine if what?? Your vulnerable to DDOS? We all know we are, it's just a question of what type and how much right? So we identify our choke points. We all know them. We look at the vendor data on how much PPS it can handle and quickly dismiss that. So what's the next step? Put the device that IS the choke point and pump it full of all different flavors until it fails. No harm no foul an now we have data regarding how much and what takes the device out. If the network is scaled, well we now know that we have x amount of devices that can fail if the DDOS goes X PPS with Y packet types. What I don't get is what you would be doing trying to accomplish this on a production network. Worse case is you break something. Best case is you don't. So if best case scenario is reach, what have you learned? Nothing! So what do you do next ramp it up? Seems silly. -Original Message- From: Edward B. DREGER [mailto:eddy+public+s...@noc.everquick.net] Sent: Monday, January 05, 2009 12:03 PM To: na...@merit.edu Subject: RE: Ethical DDoS drone network TAB Date: Mon, 5 Jan 2009 11:54:06 -0500 TAB From: BATTLES, TIMOTHY A (TIM), ATTLABS TAB assuming your somewhat scaled, I would think this could all be done TAB in the lab. And end up with a network that works in the lab. :-) - bw * delay - effects of flow caching, where applicable - jitter (esp. under load) - packet dups and loss (esp. under load) - packet reordering and assiciated side-effects - upstream/sidestream throughput (esp. under load) No, reality is far more complex. Some things do not lend themselves to _a priori_ models, nor even TFAR generalizations. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Ethical DDoS drone network
BATTLES, TIMOTHY A (TIM), ATTLABS wrote: True, real world events differ, but so do denial of service attacks. Distribution in the network, PPS, BPS, Packet Type, Packet Size, etc.. Etc.. Etc.. So really I don't get the point either in staging a real life do it yourself test. So, you put pieces of your network in jeopardy night after night during maintenance windows to determine if what?? Your vulnerable to DDOS? We all know we are, it's just a question of what type and how much right? So we identify our choke points. We all snip packet types. What I don't get is what you would be doing trying to accomplish this on a production network. Worse case is you break something. Best case is you don't. So if best case scenario is reach, what have you learned? Nothing! So what do you do next ramp it up? Seems silly. I'll personally agree with you, though there are fringe cases. For example, one or more of your peers might falter before you do. While I'm sure they won't enjoy you hurting their other customers, knowing that your peer's router is going to crater before your expensive piece of hardware is usually good knowledge. Since it's controlled, you can minimize the damage of testing that fact. Another test is automatic measures and how well they perform. This may or may not be useful in a closed environment, though in a closed environment, they'll definitely need to mirror the production environment depending on what criteria they use for automatic measures. A non-forging botnet which sends packets (valid or malformed) to an accepting recipient is strictly another internet app, and has a harm ratio related to some p2p apps. IP forging, of course, could cause unintended blowback, which could have severe legal ramifications. That being said, I'd quit calling it a botnet. I'd call it a distributed application that stress tests DDoS protection measures, and it's advisable to let your direct peers know when you plan to run it. They might even be interested in monitoring their equipment (or tell you up front that you'll crater their equipment). Jack
RE: Ethical DDoS drone network
In my opinion, the real thing you can puzzle out of this kind of testing is the occasional hidden dependency. I've seen ultra-robust servers fail because a performance monitoring application living on them was timing out in a remote query, and I've also seen devices fail well below their expected load because they were using multiple layers of encapsulation (IP over MPLS over IP over Ethernet over MPLS over Frame-Relay ...) and one of the hidden middle-layers was badly optimized. The advantage of performing this DDoS-style load testing on yourself is that *you can turn it off once you experience the failure* and then go figure out why it broke when it did. This is a lot more pleasant than trying to figure it out at 2:30 in the morning with insufficient coffee. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Mon, 1/5/09, BATTLES, TIMOTHY A (TIM), ATTLABS tmbatt...@att.com wrote: From: BATTLES, TIMOTHY A (TIM), ATTLABS tmbatt...@att.com Subject: RE: Ethical DDoS drone network To: Edward B. DREGER eddy+public+s...@noc.everquick.net, na...@merit.edu Date: Monday, January 5, 2009, 4:16 PM True, real world events differ, but so do denial of service attacks. Distribution in the network, PPS, BPS, Packet Type, Packet Size, etc.. Etc.. Etc.. So really I don't get the point either in staging a real life do it yourself test. So, you put pieces of your network in jeopardy night after night during maintenance windows to determine if what?? Your vulnerable to DDOS? We all know we are, it's just a question of what type and how much right? So we identify our choke points. We all know them. We look at the vendor data on how much PPS it can handle and quickly dismiss that. So what's the next step? Put the device that IS the choke point and pump it full of all different flavors until it fails. No harm no foul an now we have data regarding how much and what takes the device out. If the network is scaled, well we now know that we have x amount of devices that can fail if the DDOS goes X PPS with Y packet types. What I don't get is what you would be doing trying to accomplish this on a production network. Worse case is you break something. Best case is you don't. So if best case scenario is reach, what have you learned? Nothing! So what do you do next ramp it up? Seems silly. -Original Message- From: Edward B. DREGER [mailto:eddy+public+s...@noc.everquick.net] Sent: Monday, January 05, 2009 12:03 PM To: na...@merit.edu Subject: RE: Ethical DDoS drone network TAB Date: Mon, 5 Jan 2009 11:54:06 -0500 TAB From: BATTLES, TIMOTHY A (TIM), ATTLABS TAB assuming your somewhat scaled, I would think this could all be done TAB in the lab. And end up with a network that works in the lab. :-) - bw * delay - effects of flow caching, where applicable - jitter (esp. under load) - packet dups and loss (esp. under load) - packet reordering and assiciated side-effects - upstream/sidestream throughput (esp. under load) No, reality is far more complex. Some things do not lend themselves to _a priori_ models, nor even TFAR generalizations. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Ethical DDoS drone network
On Jan 6, 2009, at 6:52 AM, Jack Bates wrote: (or tell you up front that you'll crater their equipment). This is the AUP danger to which I was referring earlier. Also, note that the miscreants will attack intermediate systems such as routers they identify via tracerouting from multiple points to the victim - there's no way to test that externally without violating AUPs and/or various criminal statutes in multiple jurisdictions. And then there are managed-CPE and hosting scenarios, which complicate matters further. Tim's comments about understanding the performance envelopes of all the system/infrastructure elements are spot-on - that's a primary input into design criteria (or should be). With this knowledge in hand, one can test the most important things internally. But prior to testing, one should ensure that the architecture and the element configurations are hardened with all the relevant BCPs, and scaled for capacity. The main purpose of the testing would be to verify correct implementation and ensure all the failure modes have been accounted for and ameliorated to the degree possible, and also as an opsec drill. What I've seen over and over again is a desire to test because it's 'cool', but no desire to spend the time in the design and implementation (or re-implementation) phases to ensure that things are hardened in the first place, nor to spell out security policies and procedures, train, etc. Actual *security* (as opposed to checklisting) consists of attention to lots of tedious details, drudgery and scut-work, involving the coordination of multiple groups and the attendant politics. It isn't 'sexy', it isn't 'cool', it isn't 'fun', but it pays off at 4AM on a holiday weekend. Testing should become a priority only after one has done everything one knows to do within one's span of control, IMHO - and I've yet to run across this happy circumstance in any organization who've asked me about this kind testing, FWIW. --- Roland Dobbins rdobb...@cisco.com // +852.9133.2844 mobile All behavior is economic in motivation and/or consequence.
Re: Ethical DDoS drone network
On Jan 6, 2009, at 7:23 AM, David Barak wrote: In my opinion, the real thing you can puzzle out of this kind of testing is the occasional hidden dependency. Yes - but if your lab accurately reflects production, you can discover this kind of thing in the lab (and one ought to already have a lab setup which reflects production for many reasons having nothing to do with security). --- Roland Dobbins rdobb...@cisco.com // +852.9133.2844 mobile All behavior is economic in motivation and/or consequence.
Re: Ethical DDoS drone network
-- On Mon, 1/5/09, Roland Dobbins rdobb...@cisco.com wrote: From: Roland Dobbins rdobb...@cisco.com Subject: Re: Ethical DDoS drone network To: NANOG list na...@merit.edu Date: Monday, January 5, 2009, 6:39 PM On Jan 6, 2009, at 7:23 AM, David Barak wrote: In my opinion, the real thing you can puzzle out of this kind of testing is the occasional hidden dependency. Yes - but if your lab accurately reflects production, you can discover this kind of thing in the lab (and one ought to already have a lab setup which reflects production for many reasons having nothing to do with security). I agree - having a lab of that type is absolutely ideal. However, the ideal and the real diverge tremendously in large and mid-size enterprise networks, because most enterprises just don't have enough lab equipment to adequately model all of the possible scenarios, and including the cost of a lab in the rollout immediately doubles all capital expenditures. The types of problems that the ultra-large DoS can ferret out are the kind which *don't* show up in anything smaller than a 1:1 or 1:2 scale model. Consider for a moment a large retail chain, with several hundred or a couple thousand locations. How big a lab should they have before deciding to roll out a new network something-or-other? Should their lab be 1:10 scale? A more realistic figure is that they'll consider themselves lucky to be between 1:50 and 1:100, and that lab is probably understaffed at best. Having a dedicated lab manager is often seen as an expensive luxury, and many businesses don't have the margin to support it. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
Re: Ethical DDoS drone network
On Jan 6, 2009, at 8:01 AM, David Barak wrote: The types of problems that the ultra-large DoS can ferret out are the kind which *don't* show up in anything smaller than a 1:1 or 1:2 scale model. In my experience, once one has an understanding of the performance envelopes and has built a lab which contains examples of the functional elements of the system (network infrastructure, servers, apps, databases, clients, et. al.), one can extrapolate pretty accurately well out to orders of magnitude. The problem is that many organizations don't do the above prior to freezing the design and initiating deployment. --- Roland Dobbins rdobb...@cisco.com // +852.9133.2844 mobile All behavior is economic in motivation and/or consequence.
Re: Ethical DDoS drone network
Roland Dobbins wrote: In my experience, once one has an understanding of the performance envelopes and has built a lab which contains examples of the functional elements of the system (network infrastructure, servers, apps, databases, clients, et. al.), one can extrapolate pretty accurately well out to orders of magnitude. The problem is that many organizations don't do the above prior to freezing the design and initiating deployment. Sadly, I think money and time have a lot to do with this. Technology is a moving target, and everyone is constantly struggling to keep up while maintaining performance/security. I've seen this out of software developers, too. I'd say I've seen more outages due to a simple command typed into a router cli crashing the router than DDoS traffic. Perhaps I've been lucky with the latter. Jack
Where there's a nanog thread there'll be a vendor solution .. Re: Ethical DDoS drone network
On Mon, Jan 5, 2009 at 10:24 PM, BATTLES, TIMOTHY A (TIM), ATTLABS tmbatt...@att.com wrote: There are some assumptions here. First are you considering volumetric DDOS attacks? Second, if you plan on harvesting wild bots and using them to serve your purpose then I don't see how this can be ethical unless they are just clients from your own network making it less distributed. I cant believe this .. http://www.iprental.com Looks like anonymizer combined with what looks almost like a rent a botnet, legit nodes (you sign up to download a client that makes you part of this botnet, etc) http://www.iprental.com/technical/ Speaking of a commercial botnet, there was something similar earlier - but that was a download this bulk mailer type operation, guys called Atriks, who got tracked so extensively by spamhaus that they seem to have kind of disappeared now. --srs
Re: Where there's a nanog thread there'll be a vendor solution .. Re: Ethical DDoS drone network
This is new to you? Polymorphic anonymizers have been a way of life for a while now. Jeff On Mon, Jan 5, 2009 at 7:55 PM, Suresh Ramasubramanian ops.li...@gmail.com wrote: On Mon, Jan 5, 2009 at 10:24 PM, BATTLES, TIMOTHY A (TIM), ATTLABS tmbatt...@att.com wrote: There are some assumptions here. First are you considering volumetric DDOS attacks? Second, if you plan on harvesting wild bots and using them to serve your purpose then I don't see how this can be ethical unless they are just clients from your own network making it less distributed. I cant believe this .. http://www.iprental.com Looks like anonymizer combined with what looks almost like a rent a botnet, legit nodes (you sign up to download a client that makes you part of this botnet, etc) http://www.iprental.com/technical/ Speaking of a commercial botnet, there was something similar earlier - but that was a download this bulk mailer type operation, guys called Atriks, who got tracked so extensively by spamhaus that they seem to have kind of disappeared now. --srs -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Re: Where there's a nanog thread there'll be a vendor solution .. Re: Ethical DDoS drone network
I cant believe this .. http://www.iprental.com sheesh! and i thought the rirs had a monopoly on ip address rental. :) randy
Re: Where there's a nanog thread there'll be a vendor solution ..Re: Ethical DDoS drone network
- Original Message - From: Randy Bush Sent: Monday, January 05, 2009 7:30 PM Subject: Re: Where there's a nanog thread there'll be a vendor solution ..Re: Ethical DDoS drone network I cant believe this .. http://www.iprental.com sheesh! and i thought the rirs had a monopoly on ip address rental. :) randy I watched the 'Demo Video' and the addresses shown were from ATT and Comcast space. Any idea of what space they might be from in real life or is that part of their secret sauce? Thanks, --Michael
Re: Where there's a nanog thread there'll be a vendor solution ..Re: Ethical DDoS drone network
On Tue, Jan 6, 2009 at 12:52 PM, Michael Painter tvhaw...@shaka.com wrote: I watched the 'Demo Video' and the addresses shown were from ATT and Comcast space. Any idea of what space they might be from in real life or is that part of their secret sauce? J.Random ADSL / cable space I dare say. Though what said cable / adsl SPs would have to say about reselling of service is an AUP violation is anybody's guess :) --srs -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Ethical DDoS drone network
I would say to roll your own binary hardcoded to only hit 1 IP address, and have it held on a law enforcement approved network under the supervision of a qualified agent. 0.02 On Sun, Jan 4, 2009 at 8:06 PM, Jeffrey Lyon jeffrey.l...@blacklotus.netwrote: Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? How does your company approach this dilemma? Our company for instance has always relied on outside attacks to spot check our security and i'm beginning to think there may be a more user friendly alternative. Thoughts? -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Re: Ethical DDoS drone network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Jan 4, 2009 at 6:06 PM, Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? Well, for starters, you wold have to own (in the traditional sense) all of the hosts involved. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFJYW08q1pz9mNUZTMRApqvAJ9cctPxYzLqqeJyzO+k0cmnFpPn/QCgkI+V /jMXCouqNrsCCluieKHegdk= =jUJU -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Ethical DDoS drone network
Super risky. This would be a 99% legal worry plus. Unless all the end points and networks they cross sign off on it the risk is beyond huge. -jim --Original Message-- From: Jeffrey Lyon Sender: To: na...@merit.edu Subject: Ethical DDoS drone network Sent: Jan 4, 2009 10:06 PM Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? How does your company approach this dilemma? Our company for instance has always relied on outside attacks to spot check our security and i'm beginning to think there may be a more user friendly alternative. Thoughts? -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401. Sent from my BlackBerry device on the Rogers Wireless Network
Re: Ethical DDoS drone network
Am 05.01.2009 um 03:06 schrieb Jeffrey Lyon: Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? How does your company approach this dilemma? Our company for instance has always relied on outside attacks to spot check our security and i'm beginning to think there may be a more user friendly alternative. Thoughts? hello, , http://mirror.informatik.uni-mannheim.de/pub/ccc/streamdump/saal3/Tag3-Saal3-Slot15%3a30--ID3000-hacking_into_botnets-Main-2008-12-29T15%3a30%3a04%2b0100.ogm and http://mirror.informatik.uni-mannheim.de/pub/ccc/streamdump/saal3/Tag3-Saal3-Slot16%3a45--ID3000-hacking_into_botnets-Pause-2008-12-29T18%3a30%3a01%2b0100.ogm have fun!!! Marc -- Les Enfants Terribles - WWW.LET.DE Marc Manthey 50672 Köln - Germany Hildeboldplatz 1a Tel.:0049-221-3558032 Mobil:0049-1577-3329231 mail: m...@let.de jabber :m...@kgraff.net IRC: #opencu freenode.net PGP/GnuPG: 0x1ac02f3296b12b4d twitter: http://twitter.com/macbroadcast web: http://www.let.de Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise). Please note that according to the German law on data retention, information on every electronic information exchange with me is retained for a period of six months.
Re: Ethical DDoS drone network
Refer earlier posts. End points ('drones') would have to be legitimate endpoints, not drones on random boxes. That eliminates legal liability client-side. If the traffic is non abusive then I don't see the risk for the network providers in the middle either. If it's clearly established that the source (drones), destination (target) are all 'opted in' and there's no 'collateral damage' (in bandwidth terms or otherwise, being the ways in which I see other parties potentially being impacted) I don't know that it's anywhere near as risky as you imply. You'd have to be careful not to trip IDS or similar for all the networks you transit, to avoid impacting on others in the event of some mis-fired responses... What would be an example legitimate security purpose, except to perhaps drill responses to illegitimate botnets? Mark. On Mon, 5 Jan 2009, deles...@gmail.com wrote: Super risky. This would be a 99% legal worry plus. Unless all the end points and networks they cross sign off on it the risk is beyond huge. -jim --Original Message-- From: Jeffrey Lyon Sender: To: na...@merit.edu Subject: Ethical DDoS drone network Sent: Jan 4, 2009 10:06 PM Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? How does your company approach this dilemma? Our company for instance has always relied on outside attacks to spot check our security and i'm beginning to think there may be a more user friendly alternative. Thoughts? -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401. Sent from my BlackBerry device on the Rogers Wireless Network
Re: Ethical DDoS drone network
On Sun, 4 Jan 2009, Jeffrey Lyon wrote: Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? How does your company approach this dilemma? The company I work for has not approached this particular dilemma yet. I'm not sure what legitimate internal security purposes you're looking to fulfill, but I think you need to ask yourself a few questions first (not an all-inclusive list, but food for thought nonetheless): 1. What is the purpose of this legit botnet? In other words, what business objective does it achieve? 2. Do you have the people in-house to write the software, or would you be willing to take a chance on using something that exists 'in the wild'? Depending on how security-minded your shop is, your corporate security folks and legal counsel might take a dim view toward using untrusted software on your internal network, especially if source code is not available. That particular monster can get out of control very quickly. 3. Do you have a sufficient number of machines that are controlled by you to populate this botnet and achieve my goals (see point 1)? 4. How will this botnet be isolated from the rest of your internal network, and would that isolation limit or even negate the botnet's usefulness? 5. If the answer to question 4 is no isolation, how will you demonstrably control the botnet's propagation? 6. Depending on the answer to question 5, there might be regulatory compliance (HIPAA, FERPA, GLB, SOX, internal security/privacy policies, contractual obligations, etc...) issues to consider. Our company for instance has always relied on outside attacks to spot check our security and i'm beginning to think there may be a more user friendly alternative. Infection, even for ethical purposes, is still infection. jms
Re: Ethical DDoS drone network
If the drones send a few packets a seconds even say 1000's of pkts per second its value is not likely to be very meaningful, atleast no more so then building an on net resourse. To be meaningful you'd want/need something that could simulate a DDoS. Maybe my assumptions are way off base. You'd also have the concern that if someone 'owned' you 'ethical' botnet being potentially responsible for any damage it caused. Maybe I'm just extra paranoid :) -jim --Original Message-- From: Mark Foster To: deles...@gmail.com Cc: Jeffrey Lyon Cc: na...@merit.edu Subject: Re: Ethical DDoS drone network Sent: Jan 4, 2009 10:26 PM Refer earlier posts. End points ('drones') would have to be legitimate endpoints, not drones on random boxes. That eliminates legal liability client-side. If the traffic is non abusive then I don't see the risk for the network providers in the middle either. If it's clearly established that the source (drones), destination (target) are all 'opted in' and there's no 'collateral damage' (in bandwidth terms or otherwise, being the ways in which I see other parties potentially being impacted) I don't know that it's anywhere near as risky as you imply. You'd have to be careful not to trip IDS or similar for all the networks you transit, to avoid impacting on others in the event of some mis-fired responses... What would be an example legitimate security purpose, except to perhaps drill responses to illegitimate botnets? Mark. On Mon, 5 Jan 2009, deles...@gmail.com wrote: Super risky. This would be a 99% legal worry plus. Unless all the end points and networks they cross sign off on it the risk is beyond huge. -jim --Original Message-- From: Jeffrey Lyon Sender: To: na...@merit.edu Subject: Ethical DDoS drone network Sent: Jan 4, 2009 10:06 PM Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? How does your company approach this dilemma? Our company for instance has always relied on outside attacks to spot check our security and i'm beginning to think there may be a more user friendly alternative. Thoughts? -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401. Sent from my BlackBerry device on the Rogers Wireless Network Sent from my BlackBerry device on the Rogers Wireless Network
Re: Ethical DDoS drone network
On Sun, 4 Jan 2009 21:06:34 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? How does your company approach this dilemma? As long as some part of the system (hosts/networks) from the bots to the target is not under your control or prepared for this sort of activity, you may not get a satisfactory answer on this. Its quite likely these days a third party playing the unwitting participant in this botnet may find it objectionable. Is creating and running a botnet the answer? What exactly are you trying to protect against? DDoS? There are potentially various sorts of penetration tests and design reviews you could go through as an alternative to running a so-called ethical botnet. Further information on what you're trying to protect against may solicit some useful strategies. John
Re: Ethical DDoS drone network
On Sun, 4 Jan 2009, John Kristoff wrote: On Sun, 4 Jan 2009 21:06:34 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? How does your company approach this dilemma? As long as some part of the system (hosts/networks) from the bots to the target is not under your control or prepared for this sort of activity, you may not get a satisfactory answer on this. Its quite likely these days a third party playing the unwitting participant in this botnet may find it objectionable. Is creating and running a botnet the answer? What exactly are you trying to protect against? DDoS? There are potentially various sorts of penetration tests and design reviews you could go through as an alternative to running a so-called ethical botnet. Further information on what you're trying to protect against may solicit some useful strategies. A legal botnet is a distributed system you own. A legal DDoS network doesn't exist. The question is set wrong, no? John
Re: Ethical DDoS drone network
Agreed, Gadi. It wouldn't be an attack if it were ethical. Technically, that would be load testing or stress testing. Might I suggest this to help? http://www.opensourcetesting.org/performance.php On Sun, Jan 4, 2009 at 9:55 PM, Gadi Evron g...@linuxbox.org wrote: On Sun, 4 Jan 2009, John Kristoff wrote: On Sun, 4 Jan 2009 21:06:34 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? How does your company approach this dilemma? As long as some part of the system (hosts/networks) from the bots to the target is not under your control or prepared for this sort of activity, you may not get a satisfactory answer on this. Its quite likely these days a third party playing the unwitting participant in this botnet may find it objectionable. Is creating and running a botnet the answer? What exactly are you trying to protect against? DDoS? There are potentially various sorts of penetration tests and design reviews you could go through as an alternative to running a so-called ethical botnet. Further information on what you're trying to protect against may solicit some useful strategies. A legal botnet is a distributed system you own. A legal DDoS network doesn't exist. The question is set wrong, no? John
Re: Ethical DDoS drone network
On Sun, Jan 04, 2009 at 09:55:20PM -0600, Gadi Evron wrote: A legal botnet is a distributed system you own. A legal DDoS network doesn't exist. The question is set wrong, no? kind of depends on what the model is. a botnet for hire to red-team my network might be just the ticket. --bill
Re: Ethical DDoS drone network
On Jan 4, 2009, at 9:18 PM, deles...@gmail.com wrote: Super risky. This would be a 99% legal worry plus. Unless all the end points and networks they cross sign off on it the risk is beyond huge. Since when do I need permission of networks they cross to send data from a machine I (legitimately) own to another machine I own? If this were an FTP or other data transfer, would I have any legal issues? And if not, how is that different from load testing using a random protocol? Before anyone jumps up down, I know that all networks reserve the right to filter, use TE, or otherwise alter traffic passing over their infrastructure to avoid damage to the whole. But if I want to (for instance) stream a few 100 Gbps and am paying transit for all bits sent or received, since when do I have any legal worries? You want to 'attack' yourself, I do not see any problems. And I see lots of possible benefits. Hell, just figuring out which intermediate networks cannot handle the added load is useful information. -- TTFN, patrick --Original Message-- From: Jeffrey Lyon Sender: To: na...@merit.edu Subject: Ethical DDoS drone network Sent: Jan 4, 2009 10:06 PM Say for instance one wanted to create an ethical botnet, how would this be done in a manner that is legal, non-abusive toward other networks, and unquestionably used for legitimate internal security purposes? How does your company approach this dilemma? Our company for instance has always relied on outside attacks to spot check our security and i'm beginning to think there may be a more user friendly alternative. Thoughts? -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401. Sent from my BlackBerry device on the Rogers Wireless Network
Re: Ethical DDoS drone network
On Sun, Jan 4, 2009 at 10:27 PM, bmann...@vacation.karoshi.com wrote: On Sun, Jan 04, 2009 at 09:55:20PM -0600, Gadi Evron wrote: A legal botnet is a distributed system you own. A legal DDoS network doesn't exist. The question is set wrong, no? kind of depends on what the model is. a botnet for hire to red-team my network might be just the ticket. You probably don't have to entirely own the distributed system for it to be legal. You could just control it with proper authorization. A legal botnet is one whose deployment and operations doesn't break any laws in any of the relevant jurisdictions.The ways to achieve this are legal considerations, not technical considerations. I'm not thinking this list is really a good place to ask a question about legality and get an answer you can rely on. You need to confer with your lawyers about how exactly your botnet can or can't be built and still be legal. This may depend on what country your botnet operates in, where you are, where your nodes are, etc. But thoroughly control and restrain every possible factor that could ever make your botnet illegal, and the result should (imho) be legal... This is not an exhaustive enumeration, but some situations that often make illegal botnets illegal are: (A) The botnet operator runs code on computers without authorization, or the botnet software exploits security vulnerabilities in victim computers to install without permission i.e. operator gains unauthorized access to a computer to deploy botnet nodes, or the software is a worm. This problem is avoided if you take measures to guarantee you own every node, or if you guarantee you have full permission for every computer you will possibly run botnet software on, to the full extent of the botnet node's activities. And you ensure botnet software used never automatically spreads itself like a worm. This way, all access you gain to node PCs is authorized. (B) Botnet node software conducts unauthorized activities after it is installed on the host PC. e.g. Theft of services. Perhaps an authorized user of the PC did install the software, but they installed it for an entirely different purpose, the botnet node is hidden software, not noted in the product brochure or other prominent information about the software. This problem is avoided if you make sure the person giving permission to install the software is aware of the botnet node and all its expected activities, before a botnet node can be brought up. (C) Traffic generated by a botnet could be illegal. For example, traffic in excess of agreements you have in place, or in violation of your ISP's TOS, TOU, or AUP, may be questionable. Ethically: You need permission from owners of the source and destination networks the botnet generates traffic on, not just the source and destination computers. For example, you have agreements for 10 gigs, but your botnet test accidentally sends 50 gigs towards your remote site, or one of the thousands of nodes saturates a shared link at its local site that belongs to someone else. An attempt to simulate a DDoS against your own network could inadvertently turn out to be a real DoS on someone else's network as well as yours, for example one of your providers' networks. This is best avoided by maintaining tight control over any distributed stress testing, and massively distributed stress testing should be quarantined by all available means. The destination of any testing must be a computer you have permission to blow up. And the amount of traffic generated by any botnet node on its LAN need be acceptable. Always retain rigid controls over any traffic generated, and very strong measures to prevent an unauthorized third party from ever being able to make your nodes generate any traffic. At a bare minimum, strong PKI (no MD5 or SHA-1) and digitally-signed timestamped commands for starting a test, with some mechanism to prevent unauthorized creation or replay of commands. Plus multiple failsafe mechanisms to allow a test to be rapidly halted. i.e. all nodes ping a control point once every 30 seconds. if two pings are dropped, the node stops in its tracks. So you can kill a runaway botnet by unplugging your control hosts. -- -J
Re: Ethical DDoS drone network
On Jan 5, 2009, at 2:08 PM, Patrick W. Gilmore wrote: You want to 'attack' yourself, I do not see any problems. And I see lots of possible benefits. This can be done internally using various traffic-generation and exploit-testing tools (plenty of open-source and commercial ones available). No need to build a 'botnet', literally - more of a distributed test-harness And it must be *kept* internal; using non-routable space is key, along with ensuring that application-layer effects like recursive DNS requests don't end up leaking and causing problems for others. But before any testing is done on production systems (during maintenance windows scheduled for this type of testing, naturally), it should all be done on airgapped labs, first, IMHO. And prior to any testing of this sort, it makes sense to review the architecture(s), configuration(s), et. al. of the elements to be tested in order to ensure they incorporate the relevant BCPs, and then implement those which haven't yet been deployed, and *then* test. In general, I've found that folks tend to get excited about things like launching simulated attacks, setting up honeypots, and the like, because it's viewed as 'cool' and fun; the reality is that in most cases, analyzing and hardening the infrastructure and all participating nodes/elements/apps/services is a far wiser use of time and resources, even though it isn't nearly as entertaining. --- Roland Dobbins rdobb...@cisco.com // +852.9133.2844 mobile All behavior is economic in motivation and/or consequence.
Re: Ethical DDoS drone network
On Jan 5, 2009, at 1:33 AM, Roland Dobbins wrote: On Jan 5, 2009, at 2:08 PM, Patrick W. Gilmore wrote: You want to 'attack' yourself, I do not see any problems. And I see lots of possible benefits. This can be done internally using various traffic-generation and exploit-testing tools (plenty of open-source and commercial ones available). No need to build a 'botnet', literally - more of a distributed test-harness And it must be *kept* internal; using non-routable space is key, along with ensuring that application-layer effects like recursive DNS requests don't end up leaking and causing problems for others. We disagree. I can think of several instances where it _must_ be external. For instance, as I said before, knowing which intermediate networks are incapable of handling the additional load is useful information. But before any testing is done on production systems (during maintenance windows scheduled for this type of testing, naturally), it should all be done on airgapped labs, first, IMHO. Without arguing that point (and there are lots of scenarios where that is not at all necessary, IMHO), it does not change the fact that external testing can be extremely useful after air-gap testing. And prior to any testing of this sort, it makes sense to review the architecture(s), configuration(s), et. al. of the elements to be tested in order to ensure they incorporate the relevant BCPs, and then implement those which haven't yet been deployed, and *then* test. You live in a very structured world. Most people live in reality-land where there are too many variables to control, and not only is it impossible guarantee that everything involved is strict to BCP, but the opposite is almost certainly true. Remember, systems do not work in isolation, and when you touch other networks, weird things happen. In general, I've found that folks tend to get excited about things like launching simulated attacks, setting up honeypots, and the like, because it's viewed as 'cool' and fun; the reality is that in most cases, analyzing and hardening the infrastructure and all participating nodes/elements/apps/services is a far wiser use of time and resources, even though it isn't nearly as entertaining. Here we agree: Entertainment has (should have?) nothing to do with it. -- TTFN, patrick
Re: Ethical DDoS drone network
On Mon, 5 Jan 2009, Patrick W. Gilmore wrote: On Jan 5, 2009, at 1:33 AM, Roland Dobbins wrote: On Jan 5, 2009, at 2:08 PM, Patrick W. Gilmore wrote: You want to 'attack' yourself, I do not see any problems. And I see lots of possible benefits. This can be done internally using various traffic-generation and exploit-testing tools (plenty of open-source and commercial ones available). No need to build a 'botnet', literally - more of a distributed test-harness And it must be *kept* internal; using non-routable space is key, along with ensuring that application-layer effects like recursive DNS requests don't end up leaking and causing problems for others. We disagree. I can think of several instances where it _must_ be external. For instance, as I said before, knowing which intermediate networks are incapable of handling the additional load is useful information. But before any testing is done on production systems (during maintenance windows scheduled for this type of testing, naturally), it should all be done on airgapped labs, first, IMHO. Without arguing that point (and there are lots of scenarios where that is not at all necessary, IMHO), it does not change the fact that external testing can be extremely useful after air-gap testing. Fine test it by simulation on you or the transit end of the pipes. Do not transmit your test sh?t data across the `net. That solves that question? :)
Re: Ethical DDoS drone network
On Jan 4, 2009, at 11:11 PM, Gadi Evron wrote: On Mon, 5 Jan 2009, Patrick W. Gilmore wrote: On Jan 5, 2009, at 1:33 AM, Roland Dobbins wrote: On Jan 5, 2009, at 2:08 PM, Patrick W. Gilmore wrote: I can think of several instances where it _must_ be external. For instance, as I said before, knowing which intermediate networks are incapable of handling the additional load is useful information. But before any testing is done on production systems (during maintenance windows scheduled for this type of testing, naturally), it should all be done on airgapped labs, first, IMHO. Without arguing that point (and there are lots of scenarios where that is not at all necessary, IMHO), it does not change the fact that external testing can be extremely useful after air-gap testing. Fine test it by simulation on you or the transit end of the pipes. Do not transmit your test sh?t data across the `net. How do you propose a model is built for the simulation if you can't collect data from the real world? This is not sh?t data. Performance testing across networks is very real and happening now. The more knowledge I have of a path the better decisions I can make about that path. Kris
Re: Ethical DDoS drone network
On Jan 5, 2009, at 3:04 PM, Patrick W. Gilmore wrote: I can think of several instances where it _must_ be external. For instance, as I said before, knowing which intermediate networks are incapable of handling the additional load is useful information. AUPs are a big issue, here.. Without arguing that point (and there are lots of scenarios where that is not at all necessary, IMHO), it does not change the fact that external testing can be extremely useful after air-gap testing. Agree completely. You live in a very structured world. The idea is to instantiate structure in order to reduce the chaos. ; Most people live in reality-land where there are too many variables to control, and not only is it impossible guarantee that everything involved is strict to BCP, but the opposite is almost certainly true. Nothing's perfect, but one must do the basics before moving on to more advanced things. The low-hanging fruit, as it were (and of course, this is where scale becomes a major obstacle, in many cases; the fruit may be hanging low to the ground, but there can be a *lot* of it to pick). Remember, systems do not work in isolation, and when you touch other networks, weird things happen. One ought to get one's own house in order first, prior to looking at externalities. Agree with you 100% that they're important, but one must do what one can within one's own span of control, first. Here we agree: Entertainment has (should have?) nothing to do with it. Implementing BCPs is drudgery; because of this, it often receives short shrift. --- Roland Dobbins rdobb...@cisco.com // +852.9133.2844 mobile All behavior is economic in motivation and/or consequence.