In recent years the certified ethical hacker program has taken off and grown in popularity. I have been a certified ethical hacker for about 5 years now and I have had many people ask me exactly what it means to be “ethical” in hacking. Previously before joining the good guys side and “ethical” side of hacking I conducted penetration tests and DDoS testing for many private companies, mostly hosting and shell providers. The difference then and now is how I conduct myself and the methods that I use to make sure I am not violating anyones privacy or stepping into the illegal or gray areas of the law.
One of my concerns in the security world today is the never ending and virtually unstoppable problem of DDoS attacks. For instance there is no real way that an “ETHICAL” hacker can conduct a true and powerful DDoS test against a network. Yes, I know there are many companies out there that claim they can simulate a DDoS attack but rest assured they cannot test for a true real world “in the wild” DDoS attack. For one thing they don’t have access to the 0day DDoS tools that are used on the underground and secondly they simply cannot afford to purchase enough bandwidth to launch a massive DDoS attack. Such attacks in the real world from groups like Anonymous use literally thousands of high bandwidth *nix network servers from around the world and may have as many as a hundred thousand windows based slower connection trojaned computers, mostly which traverse firewalls and connect clients to IRC channels as to avoid leaving traces on the victims computer.
These real world DDoS attacks could potentially generate as much as a petabyte a second of bandwidth at a target or the uplink which will knock any connection offline. An old friend of mine “mafiaboy” tried to prove his point to the world that we need to do something about this problem and that DDoS attacks are unstoppable when he took down eBay, Amazon and VISA at the same time costing millions of dollars in damage and eventually putting him in jail.
So the real question and point of this post is, how to we as security experts, administrators, consultants, workers, etc approach DDoS protection when we cannot legally have our servers tested against a large scale attack? I know unethically I could go and root a thousand servers and test a DDoS attack using their bandwidth but that is not ethical and now as an adult I see that it is completely wrong and misguided.
Please let me know your thoughts and opinions on the matter…