|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DDOS anecdotes
On Sat, 23 Jun 2001, Mikael Abrahamsson wrote: > > Some of you may find http://grc.com/dos/grcdos.htm > > very interesting. > > This presses the issue of spoof filtering even harder. Not really, the attack was unspoofed. It seems the area that needs more work (outside of Windows itself), is educating abuse departments on how to respond when a customer's box is attacking someone and the user is unaware of it. Charles > Question is, how do we solve all this. One measure could be something I > have tried to press since 1996 or so, but I do not know how to implement > it and nobody else seems to be interested in it: > > Unique identification of users. > > Let's say we can set some kind of nameserver record in the in-addr.arpa > zone pointing to some kind of standardised ident server (or > ident-equivalent) for a certain IP. This way ISPs could build systems that > can provide some kind of unique identifier that could be used for logging > accesses from an IP. In retrospect this identifier could be used when > reporting issues to an ISP to speed up their work of identifying the > physical connection the access was initiated from. Same thing could be > used by a NAT or PAT device to provide some kind of tracking as to what > internal (hidden) IP was actually doing the access thru the NAT/PAT > device. > > ISPs could then presumably make some kind of system so you could email a > certain adress with the unique identifier in the subject or TO: line and > this email would be forwarded to the user in question (or to the admin of > the site if it's a corporate site). Yes, spam would have to be dealt with, > but I'm sure it's doable. > > This in combination with spoof filtering should make all our work a little > easier, right? Any takers? > > Before I proposed that terminal servers could intercept the standard 113 > identd requests sent to a certain IP and answer them itself (since the > device presumably has login information about users on its ports) but I > got no response to that either, a couple of years back. > > -- > Mikael Abrahamsson email: [email protected] >
|