> I still have difficulties about the concept of considering the idea of > showing IPs to ops on a channel a security breach, but i heard some > interesting ideas in the few last days...
1. First of all, due to the privacy concerns coder-com really isnt the place for this, it's up to the undernet admins to decide how to handle it. > Some were talking about complaining to Undernet autorities so they would be > able to retrace who's who and contact ISPs. That's nice in theory... but > sincerely, i don't think this could work. First of all, i'm not sure there > opers that have that much time to offer... And he would need to act during > the attack, fact that is quite problematic since the pples who are attacked > aren't online at the moment of the attack. (peer or timeout casualties) But > if you want to try it i'll try this. 2. Any username's being used for clones/flooding should be logged and reported to [EMAIL PROTECTED] (they can investigate the usernames and stop there use, if necessary) > About /Gen comment. We do not have any op of flood problem, the problem is > the DDoS one and since you admit that a user cannot directly act upon this, > at least when we contacted responsible ISP, those computers wheren't use > anymore to flood us. Yes this could seem pointless since attackers will find > new one... I know... but ifnobody complains to ISP, if this does not became > suffisently annoying, ISP will not take seriously the problem, law suit will > not force them to be carefull about security, etc. Anyway, maybe i am the > only one, but in my little world, since there isn't real securiy in TCP/IP > and that i know it, i decided a long time ago to inform by one mail each and > every ISP that are being used for DDoS or illegal activities that they were. > Hoping (maybe i'm simply stupid but i don't see an other way to make > internet work) that someday this movement will have some level of impact. My > sole point is that Undernet is now trying to help their users and that's > nice, but they are misguided by bloking any trace option on abuser. (My > humble and respectfull opinion) 3. Since DDoS isn't done over IRC, all you need to be careful of is making sure you are logged into your username in order to stop them from getting your address to target, thatıs all Undernet can really offer on the subject. > For Chris Crowther [[EMAIL PROTECTED]] argument stating that "That's a > specious argument, if law enforcment want information, they'll just ask for > it.". Can i simply say that your quite right, but that your comment is > purely a theoric one? If i go to the police station stating that DuDe123 on > the undernet network was attacking my internet connexion (from 100 proxies > but that he was claiming it) and that i do not know his ISP, IP or anything > about him else than the fact that he is using alternatively username1 > username2 or username3 on undernet this won'T go very far? Maybe after a > while they'll contact the Undernet administrators ang get the email that was > use to register those mails... maybe they'll go back until they stop on a > free emaila ccount somewhere in Tombouctoo. This will not help very much... > anyway not as much as a solid IP+timestamp would. But you know what, i > promise i will try this also... we'll see :o) See my 2nd comment > About X command for complaining.. this could ad least give us a tool for > complaining... But i have an even better suggestion for you... That would > work simply and still cover the privacy of anyone... By a simple procedure, > you could create a forwarding email address for every account in real > time... 4. Break the whole privacy thing, in order to keep there email private, we cannot set up email that would forward to there address. (that is not why they gave the address in the first place) > - This would be triggered when a email would be sent to > [EMAIL PROTECTED] or when a person would enter text and a > username into a form into http://ISPabuse.undernet.org. > - The mail would be sent to abuse@ for the ISP of the online person who is > using the username, using a simple rule of 'the 2 last sections of any > domain name unless the 2 last sections are 2 letters each and then use a > tree section domain name'... I know this is not an universal solution... > - You could preface the mail by a warning from the undernet stanting how the > email was sent and why (...). 5. This would not work, most of the addresses/hosts the "attackers" might use would not fit into that nice programmable bubble as implied above. 6. would not work for those people whose usernames have been hacked (either by there computer being hacked or they fell for one of those stupid requests for passwords that have become popular today) > I think this could be use to contact over 80% of the ISPs... helping a lot > and giving the choice to ISP of how or if they want to disclose their IPs > (...) by responding to the email... All without giving away the identity of > the person behind the username. See my 5th comment > About a special channel mode. I see one way of doing it that wouldn't be too > hard to create... > - Assume that the mode is +h (i don't have a list of used channel mode for > all networks...) > - When a +x person try to join a +h channel, do 3 things. > 1- issue a msg, something like: BW WARNED: if you join this channel, your > real hostname will be seen by all channel operators. > 2- stop the person from joining the channel > 3- issue an invite on the nickname 7. All but 3- would work (due to stupid clients with auto-join), but this is still an undernet admins decision > One last comment... About those who say that we could maybe manage with a > channel for reporting abuse, or sending emails to [EMAIL PROTECTED] Do > you realise that there is no proof on the undernet side of such an abuse? > What i mean is that if SomeIdiot come to my channel saying 'You shouldn't > have banned me, see what happened?' and i send this to an oper or > [EMAIL PROTECTED], will you take me seriously? I can as well provide a > server log showing 100 IPs DDoS-ing ... but the probability of the IP of > SomeIdiot being into that log is about 0. So.. is that case, will oper act > anyway? What about forged logs? Don't forget that at least ISP can see in > their log if the user was contacting the IPs used for the DDoS. Yes there > could be some other level proxies, but at least then can give along the > informating to the other ISP(?). What can an oper do... will they send the > complaint to the ISP automaticaly stating the original complaint without > regard to the nature of the proofs? Those questions will maybe seem trivials > but i must state that the last times i contacted [EMAIL PROTECTED] i > received either no answer or some comment asking for solid proof, such thing > aren't possible... about all logs can be forged :-I Well, on this point also > i promise i'll try it again before anything else. 8. See my 3rd comment, use [EMAIL PROTECTED] for the clones, they too cannot really do anything about that which is not done on Undernet itself As I pointed out in my 1st comment, the majority of this is the undernet admins concern, not coder-com's. The issue is not can something be coded (of course it can), but can it be done without breaking privacy (definitely not), therefore not a coder-com issue until the undernet admins make it one. -- xplora is the wakco tanewha -- http://www.mediadesign.school.nz/ CAUTION: This communication is confidential and may be legally privileged. If you have received it in error you must not use, disclose, copy or retain it. Please immediately notify us by return email and then delete the email. This message has been scanned for viruses and dangerous content by MailScanner with McAfee UVScan, and is believed to be clean.
