AV> Date: Wed, 1 Jan 2003 19:30:00 -0800 (PST) AV> From: Avleen Vig AV> Tracing back an IP from bind logs to see which name servers AV> looked up an attacked address immediately before the attack AV> started. This at leads to the offender's ISP which is a good AV> start. 1) <x> compromised hosts form a botnet via IRC 2) A human gives the command to start the attack 3) One of the compromised hosts performs the DNS lookups 4) Destination IP is returned to the channel 5) Random delay 6) Attack begins 7) Repeat steps 3-6 I don't see how "tagging" or changing IP addresses does much to mitigate a botnet (a DDoS has to be coordinated somehow) attack. <wolkenkuckucksheim> Let DNS return a token that expires after <x> seconds, a la KRB tickets or SSH. When requesting a connection, the ticket is presented as one of the IP options. The ticket space should be sparse enough to expose brute-force guessing attempts. Those of us who like typing IP addresses would need an alternate mechanism and/or to change our behavior. One paragraph of random rambling can't solve all the Internet's problems. ;-) </wolkenkuckucksheim> Anyone interested in website or email that can only be viewed by people who have installed a new, improved IP stack? (Looking at the number of Codered/Nimda/etc. scans in logs, something tells me protocol modifications are out...) #include <technical-vs-social.h> #include <how-much-of-the-internet-are-we-willing-to-ignore.h> Is the problem technical or social? If it were mostly the former, I think we'd have made much more progress by now. I hope IPv6 is has the right features and works well. IPv4 is badly entrenched; IPv6 will be worse. (And, please, I don't need any kooky messages about IPv8 or IPv16 like the ones I sometimes get after posting.) Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.