Hi, you can also combine several techniques. You could also set up a firewall rule that blocks someones ip, that has e.g. more than 3 ip connects (create socket) within 3 minutes or so against the telnet 3270 port, the port can be blocked for e.g. 60min. That will make ddos even harder. All numbers in the sample are configurable. I wonder if the apar disconnects the socket after a false attempt?
Denis. -----Original Message----- From: Pommier, Rex <rpomm...@sfgmembers.com> To: IBM-MAIN <IBM-MAIN@LISTSERV.UA.EDU> Sent: Thu, Jan 23, 2020 4:31 pm Subject: Re: [External] Re: IBM AOAR O44855 On 1/23/2020 9:32 AM, Peter Vander Woude wrote: > The apar is meant to deal with those types of hacks, where someone has > a list of userids and then just try to logon to TSO by connecting and > attempting to logon to TSO. Without the apar/parm, the normal logon > screen shows the person IF the userid actually has a TSO profile.d > > When the correct parm is in the IKJTSO00 parmlib member, they just get a > prompt for the password. There is no notification at that point that the > user does, or does not, have TSO access. Even the response does not tell the > hacker that information. > > While I agree that it could be a vein for a ddos of getting the users id > revoked, the premise is valid to prevent the identification of someone with > TSO access is very valid. > > That opens the way to a denial of service attack; someone can write a script > to cause revocation of a long list of userids. > This fix was not an attempt to prevent a DDOS revocation attack. It was designed to prevent the ability of a hacker to enumerate the TSO id's on a system. With PASSWORDPREPROMPT(ON), both a valid TSO id and password are required to present the fullscreen TSO logon panel, or a nebulous error message is presented. Without it, the error messages clearly state whether you have a valid TSO userid or password. Armed with a list of valid TSO id's, then the attacker could start social engineering or other phishing attempts to get a valid password. Once a hacker gets access to a TN3270 port, a DDOS revocation attack is possible whether you have PASSWORDPREPROMPT(ON) or not. The fix did not enable the DDOS revocation attack, the potential has always been there to run it. Regards, Tom Conley Hi Tom, I agree completely. The DDOS vector has always been there, and from my point of view, this makes it much harder for a DDOS to revoke a bunch of IDs - unless they already have the IDs. Without this change active, somebody can just randomly throw characters at the ID field until they get a hit then throw passwords to revoke it, then move on to the next ID. With it, how does one know if they have a valid ID or not - they don't, so they need to keep guessing at both IDs and passwords. Rex The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
