I guess what I'm saying is that I'm not convinced that there really is a better way with IPv4 or IPv6. The main functional difference between stopping somebody at the firewall vs. the application -- no matter how you accomplish that, be it via IP blocks or authentication -- is that it's cheaper to stop connections before they're fully established, and perhaps more secure in case the application has vulnerabilities.
That said, the DOS problem is a very real one and is recognized by security people, because the process of starting up a TCP/IP session, even if you throw it away shortly thereafter, is actually somewhat expensive on the server end, when you're doing it hundreds of times a second.
Basically I think the security problem here is intrinsic in the requirements:
- Broad IP range bans are bad because you lose people, so you avoid broad IP range bans.
- Single IP range bans, and in fact almost anything based on IP, don't work, because people can easily change IPs (e.g., via proxies).
- Username bans don't work, because a new username can be quickly created at the application.
- For various reasons, we want the username creation process to be open.
I think that from the above, it becomes clear that we have conflicting goals: not wanting to block too many people vs. blocking the right person; blocking username creation to avoid spammers vs. not blocking legitimate new users, ...
What you would really need is some way to guarantee that a connection is coming from a very specific person
. Perhaps this could be accomplished with some kind of message signing, such that a packet says who it's from, and the contents are signed with that person's private key. You would only be able to read the message if you were able to access the person's public key. The key point (no pun intended) is that such keys would have to be uniquely identifiable with a single person
, as opposed to some generic password mechanism, and that such keys would have to be relatively difficult to acquire. Of course this idea has tons of problems with it, and would require a much more considerable rethinking of how the internet works than merely moving to IPv6.
All of the above said, yes, it really is too bad that it's so hard to uniquely identify people. :sigh: I guess that's just life, though, when you have a protocol that is basically anonymous and where things can come from anywhere, with unlimited levels of indirection via proxies etc.