The "obvious" way to avoid the DNS issue is to have a static
address for the client to find the server, and then hand the built
connection off to the thing that shuffles IPs.
Of course, that static address becomes the obvious target for, if
not intrusions, DoS attacks, and *if this is in fact how it works*
the IP shuffling doesn't do a lot more than session encryption would.
The other possibility I can think of is to use a special
client/driver that, given a "base address" -- perhaps retrieved via
DNS -- is able to calculate what the address of the moment is. Two
issues with THAT: how many client machines' clocks are routinely
accurate to within a second, and what about network latency between
client and server?
David Gillett
On 13 Jun 2001, at 10:23, Dean Michael Dorman wrote:
> Seems like security through obscurity revamped. I agree that the dns
> servers would have a hard time keeping up and would imply also that the
> s'kiddies launching these attacks are launching against specific IPs and
> not resolvable domain names. Logic Breakdown #1. Paul is right on -
> if a customer can connect, so can a hacker. If I start a SYN flood (or
> whatever the DoS du jour is) to MyDomain.com then it doesn't matter what
> the IP of that second is, something needs to provide a vehicle for the
> legit customer to access that resource. My opinion, this is just some
> 'new technology' for the sake of having some new technology.
>
> (Just my 1/6 peso)
>
> Dean Michael Dorman
> Network Administrator
>
> -----Original Message-----
> From: Paul Murphy [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 13, 2001 8:45 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Has anyone heard of this?
>
>
>
> Sounds... nonsense.
>
> If you have a service that the outside world needs to connect to, then
> you have to provide a way for that to happen. A "hacker" can connect by
> the same mechanism.
>
> If this is intended to make snooping more difficult, which is implied by
> the article, then so what really. Who sniffs anyway?
>
>
> >>> "Eric Johnson" <[EMAIL PROTECTED]> 6/13/2001 11:43:03 am >>>
> From <http://news.zdnet.co.uk/story/0,,s2087257,00.html>:
>
> The new system can change the cyber-addresses
> on a network faster than once a second, cloaking
> them from all but authorized parties, said Victor
> Sheymov -- founder, president, and chief executive
> of Invicta Networks.
>
> ...
>
> Standard approaches to computer security rely on
> encryption, or data scrambling, plus devices such
> as firewalls aimed at screening out abnormal traffic
> patterns that look threatening.
>
> But any network protected this way is a sitting duck
> for a determined hacker, Invicta said. Instead, it
> puts the network in cybermotion through a
> continuous change of "Internet Protocol" addresses --
> the chain of digits underlying the Web to route traffic
> to its destination.
>
> The Invicta system uses special cards to link
> protected computers to a central control unit. It lets
> clients decide how often they wish to vary IP addresses
> and specify which applications may be accessed on
> their network. The number of IP addresses drawn on may
> be in the billions thanks to an artificial increase in
> cyberspace, Sheymov said.
>
> I've been pretty busy lately so this could have been discussed on
> this mailing list and I could easily have missed it.
>
> Anyway, changing ip addresses once a second would seem to
> make it pretty tough for DNS servers to keep up. And even tougher
> on maintaining a connection to the host.
>
> Eric Johnson
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
>
>
> ------------------------------------------------------------------------
> ---------------------------------------------------
> CRESTCo Ltd. The views expressed above are not necessarily
> those
> 33 Cannon Street. held by CRESTCo Limited.
> London EC4M 5SB (UK)
> +44 (020) 7849 0000 http://www.crestco.co.uk
> ------------------------------------------------------------------------
> ---------------------------------------------------
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
