nanog mailing list archives
Re: DDOS anecdotes
From: Charles Sprickman <spork () inch com>
Date: Sun, 24 Jun 2001 17:55:03 -0400 (EDT)
On Sat, 23 Jun 2001, Mikael Abrahamsson wrote:
Some of you may find http://grc.com/dos/grcdos.htm very interesting.This presses the issue of spoof filtering even harder.
Not really, the attack was unspoofed. It seems the area that needs more work (outside of Windows itself), is educating abuse departments on how to respond when a customer's box is attacking someone and the user is unaware of it. Charles
Question is, how do we solve all this. One measure could be something I have tried to press since 1996 or so, but I do not know how to implement it and nobody else seems to be interested in it: Unique identification of users. Let's say we can set some kind of nameserver record in the in-addr.arpa zone pointing to some kind of standardised ident server (or ident-equivalent) for a certain IP. This way ISPs could build systems that can provide some kind of unique identifier that could be used for logging accesses from an IP. In retrospect this identifier could be used when reporting issues to an ISP to speed up their work of identifying the physical connection the access was initiated from. Same thing could be used by a NAT or PAT device to provide some kind of tracking as to what internal (hidden) IP was actually doing the access thru the NAT/PAT device. ISPs could then presumably make some kind of system so you could email a certain adress with the unique identifier in the subject or TO: line and this email would be forwarded to the user in question (or to the admin of the site if it's a corporate site). Yes, spam would have to be dealt with, but I'm sure it's doable. This in combination with spoof filtering should make all our work a little easier, right? Any takers? Before I proposed that terminal servers could intercept the standard 113 identd requests sent to a certain IP and answer them itself (since the device presumably has login information about users on its ports) but I got no response to that either, a couple of years back. -- Mikael Abrahamsson email: swmike () swm pp se
Current thread:
- DDOS anecdotes Sean M. Doran (Jun 23)
- Re: DDOS anecdotes Mikael Abrahamsson (Jun 23)
- Re: DDOS anecdotes Pim van Riezen (Jun 23)
- Re: DDOS anecdotes Mikael Abrahamsson (Jun 23)
- Re: DDOS anecdotes Charles Sprickman (Jun 24)
- Re: DDOS anecdotes Pim van Riezen (Jun 23)
- RE: DDOS anecdotes Vivien M. (Jun 23)
- RE: DDOS anecdotes Mikael Abrahamsson (Jun 23)
- RE: DDOS anecdotes Tim Wilde (Jun 23)
- peering requirements (Re: DDOS anecdotes) Paul Vixie (Jun 23)
- Re: peering requirements (Re: DDOS anecdotes) Eric Oosting (Jun 23)
- Re: peering requirements (Re: DDOS anecdotes) Roland Dobbins (Jun 23)
- Re: peering requirements (Re: DDOS anecdotes) Simon Lyall (Jun 23)
- Re: peering requirements (Re: DDOS anecdotes) Roland Dobbins (Jun 23)
- What is evil: IP spoofing or Distributed attacks? (was Re: DDOS anecdotes) Przemyslaw Karwasiecki (Jun 23)
- RE: DDOS anecdotes Mikael Abrahamsson (Jun 23)
- Re: peering requirements (Re: DDOS anecdotes) Paul Vixie (Jun 26)
- Re: DDOS anecdotes Mikael Abrahamsson (Jun 23)