Locating the IP address of the DDF attempted hacker

Ben Alford

Locating the IP address of the DDF attempted hacker
We are receiving many, many DB2 DDF error messages of the form
DSNL030I - DSNLTSEC DDF PROCESSING FAILURE FOR
LUWID=A024B328.D988.BA94EB6CF673
AUTHID=authid1, REASON=00F30088

The interloper has entered the bad password more than 3 times and the
userid is now REVOKED by RACF. This could be a form of denial of
service attack, since the userid is now unusable.

Anyone know how to track down the ip address of the DDF client?
Thanks in advance!

Ben Alford Enterprise Systems Programming
University of Tennessee, Knoxville INTERNET: [login to unmask email]

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". If you will be out of the office, send the SET DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Manas Dasgupta

Re: Locating the IP address of the DDF attempted hacker
(in response to Ben Alford)
The first part of LUWID has the ip address in hex. Convert the following to
decimal and you'll have the ip address : A0 24 B3 28.
Thanks,
Manas.
----- Original Message -----
From: "Ben Alford" <[login to unmask email]>
Newsgroups: bit.listserv.db2-l
To: <[login to unmask email]>
Sent: Tuesday, January 06, 2004 12:43 PM
Subject: Locating the IP address of the DDF attempted hacker


> We are receiving many, many DB2 DDF error messages of the form
> DSNL030I - DSNLTSEC DDF PROCESSING FAILURE FOR
> LUWID=A024B328.D988.BA94EB6CF673
> AUTHID=authid1, REASON=00F30088
>
> The interloper has entered the bad password more than 3 times and the
> userid is now REVOKED by RACF. This could be a form of denial of
> service attack, since the userid is now unusable.
>
> Anyone know how to track down the ip address of the DDF client?
> Thanks in advance!
>
> Ben Alford Enterprise Systems Programming
> University of Tennessee, Knoxville INTERNET: [login to unmask email]
>
> --------------------------------------------------------------------------
-------
> Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and
home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page
select "Join or Leave the list". If you will be out of the office, send the
SET DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins
can be reached at [login to unmask email] Find out the latest on
IDUG conferences at http://conferences.idug.org/index.cfm

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". If you will be out of the office, send the SET DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

paul martin

Re: Locating the IP address of the DDF attempted hacker
(in response to Manas Dasgupta)
I don't think so -- the LUWID is logical unit of work identifier (LUWID),
for two-phase conversations
If you go to your DB2 connect box and issue
db2 list dcs applications
you'll see the LUWID listed as the "Host Application Id"

If you issue
db2 list dcs applications SHOW DETAIL
On your DB2 Connect box you'll see the IP address as the first part of the
Client Application ID

I would assume with some kind of IP trace on your z/OS platform maybe you
could secure the IP address coming in -- as a rule it would be the DB2
Connect platforms IP address you would see on the z/OS side.

Paul


-----Original Message-----
From: Manas Dasgupta [mailto:[login to unmask email]
Sent: Tuesday, January 06, 2004 12:06 PM
To: [login to unmask email]
Subject: Re: Locating the IP address of the DDF attempted hacker


The first part of LUWID has the ip address in hex. Convert the following to
decimal and you'll have the ip address : A0 24 B3 28.
Thanks,
Manas.
----- Original Message -----
From: "Ben Alford" <[login to unmask email]>
Newsgroups: bit.listserv.db2-l
To: <[login to unmask email]>
Sent: Tuesday, January 06, 2004 12:43 PM
Subject: Locating the IP address of the DDF attempted hacker


> We are receiving many, many DB2 DDF error messages of the form
> DSNL030I - DSNLTSEC DDF PROCESSING FAILURE FOR
> LUWID=A024B328.D988.BA94EB6CF673
> AUTHID=authid1, REASON=00F30088
>
> The interloper has entered the bad password more than 3 times and the
> userid is now REVOKED by RACF. This could be a form of denial of
> service attack, since the userid is now unusable.
>
> Anyone know how to track down the ip address of the DDF client?
> Thanks in advance!
>
> Ben Alford Enterprise Systems Programming
> University of Tennessee, Knoxville INTERNET: [login to unmask email]
>
> --------------------------------------------------------------------------
-------
> Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and
home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page
select "Join or Leave the list". If you will be out of the office, send the
SET DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins
can be reached at [login to unmask email] Find out the latest on
IDUG conferences at http://conferences.idug.org/index.cfm

----------------------------------------------------------------------------
-----
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home
page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select
"Join or Leave the list". If you will be out of the office, send the SET
DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins can
be reached at [login to unmask email] Find out the latest on IDUG
conferences at http://conferences.idug.org/index.cfm


CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may
contain confidential and privileged information for the use of the
designated recipients named above. Any unauthorized review, use, disclosure
or distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". If you will be out of the office, send the SET DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Mark Ruhe

Re: Locating the IP address of the DDF attempted hacker
(in response to paul martin)
If the work being requested originated via TCP/IP then the format of the LUWID is

IPAddr.Port.Application instance

Otherwise it is probably APPC in which case its

Network.LU Name.Application instance


-----Original Message-----
From: DB2 Data Base Discussion List [mailto:[login to unmask email]On
Behalf Of Martin, Paul
Sent: Tuesday, January 06, 2004 12:37 PM
To: [login to unmask email]
Subject: Re: Locating the IP address of the DDF attempted hacker


I don't think so -- the LUWID is logical unit of work identifier (LUWID),
for two-phase conversations
If you go to your DB2 connect box and issue
db2 list dcs applications
you'll see the LUWID listed as the "Host Application Id"

If you issue
db2 list dcs applications SHOW DETAIL
On your DB2 Connect box you'll see the IP address as the first part of the
Client Application ID

I would assume with some kind of IP trace on your z/OS platform maybe you
could secure the IP address coming in -- as a rule it would be the DB2
Connect platforms IP address you would see on the z/OS side.

Paul


-----Original Message-----
From: Manas Dasgupta [mailto:[login to unmask email]
Sent: Tuesday, January 06, 2004 12:06 PM
To: [login to unmask email]
Subject: Re: Locating the IP address of the DDF attempted hacker


The first part of LUWID has the ip address in hex. Convert the following to
decimal and you'll have the ip address : A0 24 B3 28.
Thanks,
Manas.
----- Original Message -----
From: "Ben Alford" <[login to unmask email]>
Newsgroups: bit.listserv.db2-l
To: <[login to unmask email]>
Sent: Tuesday, January 06, 2004 12:43 PM
Subject: Locating the IP address of the DDF attempted hacker


> We are receiving many, many DB2 DDF error messages of the form
> DSNL030I - DSNLTSEC DDF PROCESSING FAILURE FOR
> LUWID=A024B328.D988.BA94EB6CF673
> AUTHID=authid1, REASON=00F30088
>
> The interloper has entered the bad password more than 3 times and the
> userid is now REVOKED by RACF. This could be a form of denial of
> service attack, since the userid is now unusable.
>
> Anyone know how to track down the ip address of the DDF client?
> Thanks in advance!
>
> Ben Alford Enterprise Systems Programming
> University of Tennessee, Knoxville INTERNET: [login to unmask email]
>
> --------------------------------------------------------------------------
-------
> Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and
home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page
select "Join or Leave the list". If you will be out of the office, send the
SET DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins
can be reached at [login to unmask email] Find out the latest on
IDUG conferences at http://conferences.idug.org/index.cfm

----------------------------------------------------------------------------
-----
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home
page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select
"Join or Leave the list". If you will be out of the office, send the SET
DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins can
be reached at [login to unmask email] Find out the latest on IDUG
conferences at http://conferences.idug.org/index.cfm


CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may
contain confidential and privileged information for the use of the
designated recipients named above. Any unauthorized review, use, disclosure
or distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". If you will be out of the office, send the SET DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". If you will be out of the office, send the SET DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Kirk Hampton

Re: Locating the IP address of the DDF attempted hacker
(in response to Mark Ruhe)
I have verified this on our system, and the first node of the LUWID in a
DSNL030I message
did, in fact, decode via the method described by Manas to an IP address.
However, it was
the address of a DB2 Connect EE gateway, not the address of the originating
Windows
desktop client, so it may be of dubious value. If you have such a setup as
ours, you may have
to interrogate the DB2DIAG.log on the gateway machine to find the real
client address.

Kirk Hampton
DB2 OS/390 Sysprog
IBM Certified Solutions Expert - DB2 V7 Database Administration OS/390
TXU Business Services
Dallas, Texas




Mark Ruhe
<[login to unmask email] To: [login to unmask email]
COM> cc:
Sent by: DB2 Data Subject: Re: Locating the IP address of the DDF attempted hacker
Base Discussion
List
<[login to unmask email]
ORG>


01/06/2004 12:47
PM
Please respond to
DB2 Database
Discussion list
at IDUG






If the work being requested originated via TCP/IP then the format of the
LUWID is

IPAddr.Port.Application instance

Otherwise it is probably APPC in which case its

Network.LU Name.Application instance


-----Original Message-----
From: DB2 Data Base Discussion List [mailto:[login to unmask email]On
Behalf Of Martin, Paul
Sent: Tuesday, January 06, 2004 12:37 PM
To: [login to unmask email]
Subject: Re: Locating the IP address of the DDF attempted hacker


I don't think so -- the LUWID is logical unit of work identifier (LUWID),
for two-phase conversations
If you go to your DB2 connect box and issue
db2 list dcs applications
you'll see the LUWID listed as the "Host Application Id"

If you issue
db2 list dcs applications SHOW DETAIL
On your DB2 Connect box you'll see the IP address as the first part of the
Client Application ID

I would assume with some kind of IP trace on your z/OS platform maybe you
could secure the IP address coming in -- as a rule it would be the DB2
Connect platforms IP address you would see on the z/OS side.

Paul


-----Original Message-----
From: Manas Dasgupta [mailto:[login to unmask email]
Sent: Tuesday, January 06, 2004 12:06 PM
To: [login to unmask email]
Subject: Re: Locating the IP address of the DDF attempted hacker


The first part of LUWID has the ip address in hex. Convert the following
to
decimal and you'll have the ip address : A0 24 B3 28.
Thanks,
Manas.
----- Original Message -----
From: "Ben Alford" <[login to unmask email]>
Newsgroups: bit.listserv.db2-l
To: <[login to unmask email]>
Sent: Tuesday, January 06, 2004 12:43 PM
Subject: Locating the IP address of the DDF attempted hacker


> We are receiving many, many DB2 DDF error messages of the form
> DSNL030I - DSNLTSEC DDF PROCESSING FAILURE FOR
> LUWID=A024B328.D988.BA94EB6CF673
> AUTHID=authid1, REASON=00F30088
>
> The interloper has entered the bad password more than 3 times and the
> userid is now REVOKED by RACF. This could be a form of denial of
> service attack, since the userid is now unusable.
>
> Anyone know how to track down the ip address of the DDF client?
> Thanks in advance!
>
> Ben Alford Enterprise Systems Programming
> University of Tennessee, Knoxville INTERNET: [login to unmask email]
>
>
--------------------------------------------------------------------------
-------
> Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and
home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page
select "Join or Leave the list". If you will be out of the office, send the
SET DB2-L NOMAIL command to [login to unmask email] The IDUG List
Admins
can be reached at [login to unmask email] Find out the latest on
IDUG conferences at http://conferences.idug.org/index.cfm

----------------------------------------------------------------------------

-----
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home
page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select
"Join or Leave the list". If you will be out of the office, send the SET
DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins
can
be reached at [login to unmask email] Find out the latest on IDUG
conferences at http://conferences.idug.org/index.cfm


CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may
contain confidential and privileged information for the use of the
designated recipients named above. Any unauthorized review, use, disclosure
or distribution is prohibited. If you are not the intended recipient,
please
contact the sender by reply e-mail and destroy all copies of the original
message.

---------------------------------------------------------------------------------

Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home
page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select
"Join or Leave the list". If you will be out of the office, send the SET
DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins
can be reached at [login to unmask email] Find out the latest on
IDUG conferences at http://conferences.idug.org/index.cfm

---------------------------------------------------------------------------------

Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home
page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select
"Join or Leave the list". If you will be out of the office, send the SET
DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins
can be reached at [login to unmask email] Find out the latest on
IDUG conferences at http://conferences.idug.org/index.cfm







*********************************************************************************
Confidentiality Notice: This email message, including any attachments,
contains or may contain confidential information intended only for the
addressee. If you are not an intended recipient of this message, be
advised that any reading, dissemination, forwarding, printing, copying
or other use of this message or its attachments is strictly prohibited. If
you have received this message in error, please notify the sender
immediately by reply message and delete this email message and any
attachments from your system.
*********************************************************************************

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". If you will be out of the office, send the SET DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Alex Pauliah

Re: Locating the IP address of the DDF attempted hacker
(in response to Kirk Hampton)
All,

Kirk is right, on the server(mainframe) only the ip address of the gateway
machine is stored. You need to get on to the gateway machine and issue
db2 list dcs applications show detail to get the actual source IP
address.

I do not think db2 stores each connection detail on the gateway even if the
diaglevel is set to 4. (I could be wrong)

(my 2c worth...)

Alex J. Pauliah
DB2 DBA
TXU Database Technology
W: (214) 486 6784
P: (214) 314 5973



Kirk Hampton
<[login to unmask email] To: [login to unmask email]
> cc:
Sent by: DB2 Data Subject: Re: Locating the IP address of the DDF attempted hacker
Base Discussion
List
<[login to unmask email]
ORG>


01/06/2004 01:29
PM
Please respond to
DB2 Database
Discussion list
at IDUG






I have verified this on our system, and the first node of the LUWID in a
DSNL030I message
did, in fact, decode via the method described by Manas to an IP address.
However, it was
the address of a DB2 Connect EE gateway, not the address of the originating
Windows
desktop client, so it may be of dubious value. If you have such a setup as
ours, you may have
to interrogate the DB2DIAG.log on the gateway machine to find the real
client address.

Kirk Hampton
DB2 OS/390 Sysprog
IBM Certified Solutions Expert - DB2 V7 Database Administration OS/390
TXU Business Services
Dallas, Texas




Mark Ruhe
<[login to unmask email] To:
[login to unmask email]
COM> cc:
Sent by: DB2 Data Subject: Re: Locating the
IP address of the DDF attempted hacker
Base Discussion
List
<[login to unmask email]
ORG>


01/06/2004 12:47
PM
Please respond to
DB2 Database
Discussion list
at IDUG






If the work being requested originated via TCP/IP then the format of the
LUWID is

IPAddr.Port.Application instance

Otherwise it is probably APPC in which case its

Network.LU Name.Application instance


-----Original Message-----
From: DB2 Data Base Discussion List [mailto:[login to unmask email]On
Behalf Of Martin, Paul
Sent: Tuesday, January 06, 2004 12:37 PM
To: [login to unmask email]
Subject: Re: Locating the IP address of the DDF attempted hacker


I don't think so -- the LUWID is logical unit of work identifier (LUWID),
for two-phase conversations
If you go to your DB2 connect box and issue
db2 list dcs applications
you'll see the LUWID listed as the "Host Application Id"

If you issue
db2 list dcs applications SHOW DETAIL
On your DB2 Connect box you'll see the IP address as the first part of the
Client Application ID

I would assume with some kind of IP trace on your z/OS platform maybe you
could secure the IP address coming in -- as a rule it would be the DB2
Connect platforms IP address you would see on the z/OS side.

Paul


-----Original Message-----
From: Manas Dasgupta [mailto:[login to unmask email]
Sent: Tuesday, January 06, 2004 12:06 PM
To: [login to unmask email]
Subject: Re: Locating the IP address of the DDF attempted hacker


The first part of LUWID has the ip address in hex. Convert the following
to
decimal and you'll have the ip address : A0 24 B3 28.
Thanks,
Manas.
----- Original Message -----
From: "Ben Alford" <[login to unmask email]>
Newsgroups: bit.listserv.db2-l
To: <[login to unmask email]>
Sent: Tuesday, January 06, 2004 12:43 PM
Subject: Locating the IP address of the DDF attempted hacker


> We are receiving many, many DB2 DDF error messages of the form
> DSNL030I - DSNLTSEC DDF PROCESSING FAILURE FOR
> LUWID=A024B328.D988.BA94EB6CF673
> AUTHID=authid1, REASON=00F30088
>
> The interloper has entered the bad password more than 3 times and the
> userid is now REVOKED by RACF. This could be a form of denial of
> service attack, since the userid is now unusable.
>
> Anyone know how to track down the ip address of the DDF client?
> Thanks in advance!
>
> Ben Alford Enterprise Systems Programming
> University of Tennessee, Knoxville INTERNET: [login to unmask email]
>
>
--------------------------------------------------------------------------
-------
> Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and
home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page
select "Join or Leave the list". If you will be out of the office, send the
SET DB2-L NOMAIL command to [login to unmask email] The IDUG List
Admins
can be reached at [login to unmask email] Find out the latest on
IDUG conferences at http://conferences.idug.org/index.cfm

----------------------------------------------------------------------------


-----
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home
page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select
"Join or Leave the list". If you will be out of the office, send the SET
DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins
can
be reached at [login to unmask email] Find out the latest on IDUG
conferences at http://conferences.idug.org/index.cfm


CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may
contain confidential and privileged information for the use of the
designated recipients named above. Any unauthorized review, use, disclosure
or distribution is prohibited. If you are not the intended recipient,
please
contact the sender by reply e-mail and destroy all copies of the original
message.

---------------------------------------------------------------------------------


Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home
page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select
"Join or Leave the list". If you will be out of the office, send the SET
DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins
can be reached at [login to unmask email] Find out the latest on
IDUG conferences at http://conferences.idug.org/index.cfm

---------------------------------------------------------------------------------


Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home
page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select
"Join or Leave the list". If you will be out of the office, send the SET
DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins
can be reached at [login to unmask email] Find out the latest on
IDUG conferences at http://conferences.idug.org/index.cfm







*********************************************************************************

Confidentiality Notice: This email message, including any attachments,
contains or may contain confidential information intended only for the
addressee. If you are not an intended recipient of this message, be
advised that any reading, dissemination, forwarding, printing, copying
or other use of this message or its attachments is strictly prohibited. If
you have received this message in error, please notify the sender
immediately by reply message and delete this email message and any
attachments from your system.
*********************************************************************************


---------------------------------------------------------------------------------

Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home
page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select
"Join or Leave the list". If you will be out of the office, send the SET
DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins
can be reached at [login to unmask email] Find out the latest on
IDUG conferences at http://conferences.idug.org/index.cfm

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". If you will be out of the office, send the SET DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Michael Ebert

Re: Locating the IP address of the DDF attempted hacker
(in response to Alex Pauliah)
Hi Ben,

this doesn't have to be an attack. We've had similar situations several
times in the past: some developer creates a program that accesses DB2 data
via DDF. They code the CONNECT statement with a fixed userid and password.
When RACF expires the password (resulting in a non-zero RC), the
application simply retries the CONNECT, which results in a loop....

Dr. Michael Ebert
DB2 Database Administrator
aMaDEUS Data Processing
Erding / Munich, Germany




We are receiving many, many DB2 DDF error messages of the form
DSNL030I - DSNLTSEC DDF PROCESSING FAILURE FOR
LUWID=A024B328.D988.BA94EB6CF673
AUTHID=authid1, REASON=00F30088

The interloper has entered the bad password more than 3 times and the
userid is now REVOKED by RACF. This could be a form of denial of
service attack, since the userid is now unusable.

Anyone know how to track down the ip address of the DDF client?
Thanks in advance!

Ben Alford Enterprise Systems Programming
University of Tennessee, Knoxville INTERNET: [login to unmask email]


---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". If you will be out of the office, send the SET DB2-L NOMAIL command to [login to unmask email] The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm