[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal: the 'token' solution - Informal part

To: Virginie <hay.root@xxxxxxxxxxxxxx>
Subject: Re: Proposal: the 'token' solution - Informal part
From: "Mario 'BitKoenig' Holbe" <Mario.Holbe@xxxxxxxxxxxxxxxx>
Date: Sat, 19 Feb 2000 15:59:00 +0100
Cc: ircd-users@xxxxxxx
Delivered-to: ircd-users-out@irc.org
Delivered-to: ircd-users@irc.org
In-reply-to: <38AEAAAE.79CB254A@hay-france.com>; from hay.root@hay-france.com on Sat, Feb 19, 2000 at 03:37:34PM +0100
References: <20000218210105.C633@rubens> <38AEAAAE.79CB254A@hay-france.com>

On Sat, Feb 19, 2000 at 03:37:34PM +0100, Virginie wrote:
> > 'Cookie' for obvious reasons). This token will be assigned
[...]
> > lives for a short time (15 minutes?).
> 
> Ok, so now, warclans will packets clients 16 minutes?
> fix limite at 20 and they'll packets 21 mins, etc etc .. 
[...]
> Sorry but I don't think that resolv anything.

Okay, it seems I need to make something clear...

The 'token' solution does *not* help against attacking servers.
In fact. It is even not wanted to do this.
Help against attacking servers needs other things to fix.

The goal of the token approach is, to help against attacking
users/clients.
If a client gets attacked, it ping timeouts (bad disconnect,
it's token gets 'hot'). If the token is requested then, it
gets assigned to the requesting client (it's authorized to
get it, because it knows the key - something like an one time
password to access the token). This requesting client must
not neccesarily be the same as the dead client - it can have
another IP, another Ident response, another Nick.

This means, if a client gets smurfed, it just reconnects.
If the whole ISP of that client will be smurfed, the user
just chooses another ISP.

And they cannot smurf every ISP all over the world - they
cannot even smurf all ISPs of one country - without
fast getting in contact with some law enforcement.
This risk grows, if u keep the attack for a long time and/or
if you do attack many targets.
So the attacker has the choice - growing its risk getting
catched and keeping the attack or finishing the attack and
loose.

And the attacked client only needs a short time - connect,
assign new token, join (with regain modes) - if it disconnects
then, it has a new token.

And because most clients on one channel are connected to
different servers, it doesn't help to smurf a server too
(at least in this case).

I repeat: We DO NOT try to fix and we DO NOT fix the problem
"attacking server and abusing the instability of the net".
I for myself fix that on my server in the way, that I
don't accept connections if my server-to-server connections
are broken (not in ircd code but at IP/TCP base).

regards,
   Mario
-- 
Mario 'BitKoenig' Holbe <Mario.Holbe@xxxxxxxxxxxxxxxx>
http://WWW.RZ.TU-Ilmenau.DE/~holbe/

User sind wie ideale Gase - sie verteilen sich gleichmaessig ueber alle Platten

Follow-Ups:
- Re: Proposal: the 'token' solution - Informal part
  - From: Christian 'HERZ' Makowski

References:
- Proposal: the 'token' solution - Informal part
  - From: Mario 'BitKoenig' Holbe
- Re: Proposal: the 'token' solution - Informal part
  - From: Virginie

Prev by Date: Re: Proposal: the 'token' solution - Informal part
Next by Date: Re: Proposal: the 'token' solution - Informal part
Previous by thread: Re: Proposal: the 'token' solution - Informal part
Next by thread: Re: Proposal: the 'token' solution - Informal part
Index(es):
- Date
- Thread