+1 for Bro
http://www.bro.org
http://packetpushers.net/healthy-paranoia-show-11-bro-the-outer-limits-of-ids/
Sent from my iPad
On Jun 13, 2013, at 2:32 PM, Eric Wustrow wrote:
> Hi all,
>
> I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10 gbps
> link, with new blocked
On Thu, Jun 13, 2013 at 10:34:28AM -0600, Phil Fagan wrote:
> Yeah, I can't imagine there is any real magic there...mystical protocol not
> seen over transport.
Compromised NICs can leak info through side channels (timing) but
it's too low bandwidth. For end user devices with backdoors
(remote vul
On 6/13/13, Scott Helms wrote:
> Targeted how without an active C&C system?
How have you determined that there is not one?
Conceptually, the "simplest" backdoored router, could have a
mechanism, where crafted packets that would ordinarily be forwarded
on, contain some "magic bit pattern" in t
What protocols have empty space in the headers whereby I can add my
'message' and send it along with legit traffic? I would think most all..
On Thu, Jun 13, 2013 at 8:16 PM, Scott Helms wrote:
> What protocol is a DPI vector? In what way is making a router even
> remotely efficient as a method
What protocol is a DPI vector? In what way is making a router even
remotely efficient as a method of end to end covert communication? There
are thousands (if not millions) of ways for two hosts to exchange data
without it being detectable that's much faster and cheaper than involving
the network i
Targeted how without an active C&C system?
On Jun 13, 2013 10:01 PM, "Jimmy Hess" wrote:
> On 6/13/13, Patrick W. Gilmore wrote:
> > It should be trivial to prove to yourself the box is, or is not, doing
> > something evil if you actually try.
>
> What if it's not doing anything evil 99% of the
On 06/13/2013 06:57 PM, Scott Helms wrote:
What you're describing is a command and control channel unless you're
suggesting that the router itself had the capacity to somehow discern that.
That's the problem with all the pixie dust theories. The router can't, it
doesn't know who the rebels
On 6/13/13, Patrick W. Gilmore wrote:
> It should be trivial to prove to yourself the box is, or is not, doing
> something evil if you actually try.
What if it's not doing anything evil 99% of the time... after all
90%+ of traffic may be of no interest to a potential adversary, but
there is a ba
What you're describing is a command and control channel unless you're
suggesting that the router itself had the capacity to somehow discern
that. That's the problem with all the pixie dust theories. The router
can't, it doesn't know who the rebels are much less their net block ahead
of time. So
On 06/13/2013 06:11 PM, Scott Helms wrote:
Not at all Michael, but that is a targeted piece of data and that means a command and
control system. I challenge your imagination to come up with a common scenario where a
non targeted "I'm/they're here" that's useful to either the company or the
There is more than just y'all's in North America .
---
Sent from Samsung Mobile
Original message
From: Jeroen Massar
Date:
To: david peahi
Cc: NANOG list
Subject: Re: huawei (ZTE too)
Not at all Michael, but that is a targeted piece of data and that means a
command and control system. I challenge your imagination to come up with a
common scenario where a non targeted "I'm/they're here" that's useful to
either the company or the Chinese government keeping in mind that you have
On Jun 13, 2013, at 5:39 PM, Michael Thomas wrote:
> On 06/13/2013 05:28 PM, Scott Helms wrote:
>> Bill,
>>
>> Certainly everything you said is correct and at the same time is not useful
>> for the kinds traffic interception that's been implied. 20 packets of
>> random traffic capture is extrao
On 06/13/2013 05:28 PM, Scott Helms wrote:
Bill,
Certainly everything you said is correct and at the same time is not useful
for the kinds traffic interception that's been implied. 20 packets of
random traffic capture is extraordinarily unlikely to contain anything of
interest and eve if you do
Bill,
Certainly everything you said is correct and at the same time is not useful
for the kinds traffic interception that's been implied. 20 packets of
random traffic capture is extraordinarily unlikely to contain anything of
interest and eve if you do happen to get a juicy fragment your chances
paper is downloadable from
http://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf
On Jun 13, 2013, at 3:52 PM, "Scott Weeks" wrote:
> --- r...@gsp.org wrote:
> From: Rich Kulawiec
>
> On Thu, Jun 13, 2013 at 06:10:39PM +0200, Randy Bush wrote:
>> we really should not be putting huawei kit int
On Jun 13, 2013, at 3:01 PM, "Scott Weeks" wrote:
> On 2013-06-13 14:28, david peahi wrote:
>>
>> Last I heard NANOG stands for North American Network Operators Group.
>> Anti-American comments are not welcome here..
> Smiley? Smiley? I'm looking for the :-) but I don't
> see one. How about "
Johnathan is correct about not using perl for this. There are some iptables
modules, but they're all out of date or incomplete (I mention this because
if you get around to making them work decent, I'll love you for it).
Otherwise, perl -> IPC::Run -> ipt isn't going to gain you anything. And
I'd be
Yeah, I only thought of perl cause I'm used to running through 'while true'
loops and someone showed me Perl was about 400x fastergood thing I'm
not running through 10gb/s worth of data :-D
Figured getting closer to hardware was the way to go.I'll have to check
out PF_RING.
On Thu, Jun
Procera Networks -- http://proceranetworks.com
That will do what you want.
Thanks,
---
Patrick Bailey
On Jun 13, 2013, at 3:32 PM, Eric Wustrow wrote:
> Hi all,
>
> I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10 gbps
> link, with new blocked flows being dropped with
On Thursday 13 June 2013 15:30, Rich Kulawiec wrote:
> On Thu, Jun 13, 2013 at 06:10:39PM +0200, Randy Bush wrote:
> > we really should not be putting huawei kit into the backbone, there
> > might be backdoors where they can spy on our traffic
>
> This paper may be relevant to the topic at hand (h/
--- r...@gsp.org wrote:
From: Rich Kulawiec
On Thu, Jun 13, 2013 at 06:10:39PM +0200, Randy Bush wrote:
> we really should not be putting huawei kit into the backbone, there
> might be backdoors where they can spy on our traffic
This paper may be relevant to the topic at hand (h/t to Rob Slade):
On Thu, Jun 13, 2013 at 3:38 PM, Phil Fagan wrote:
> I would assume something FreeBSD based might be best
Meh... personal choice. I prefer Linux, mostly because I know it best
and most network application development is taking place there.
> On Thu, Jun 13, 2013 at 4:37 PM, Phil Fagan wrote
Better still, http://dilbert.com/strips/comic/1996-09-07/
Jeff
On 6/13/2013 6:41 PM, Christopher Morrow wrote:
> On Thu, Jun 13, 2013 at 6:37 PM, Phil Fagan wrote:
>> fast Perl
> haha :) that's cute.
>
On Thu, Jun 13, 2013 at 1:20 PM, Scott Helms wrote:
> if one of my routers starts sending cat
> photos somewhere, no matter how cute, I'm gonna consider that suspicious.
Hi Scott,
If once every 24 hours or so your router borrows the source IP of a
packet it recently passed and uses it to send a
On Thu, Jun 13, 2013 at 6:37 PM, Phil Fagan wrote:
> fast Perl
haha :) that's cute.
I would assume something FreeBSD based might be best
On Thu, Jun 13, 2013 at 4:37 PM, Phil Fagan wrote:
> I really like the idea of a stripe of linux boxes doing the heavy lifting.
> Any suggestions on platforms, card types, and chip types that might be
> better purposed at processing this
I really like the idea of a stripe of linux boxes doing the heavy lifting.
Any suggestions on platforms, card types, and chip types that might be
better purposed at processing this type of data?
I assume you could write some fast Perl to ingest and manage the tables?
What would the package of choi
On Thu, Jun 13, 2013 at 06:10:39PM +0200, Randy Bush wrote:
> we really should not be putting huawei kit into the backbone, there
> might be backdoors where they can spy on our traffic
This paper may be relevant to the topic at hand (h/t to Rob Slade):
http://www.scribd.com/doc/95282643/
On Thu, Jun 13, 2013 at 2:28 PM, david peahi wrote:
> Last I heard NANOG stands for North American Network Operators Group.
> Anti-American comments are not welcome here..
>
>
As a matter of fact, North America includes 23 unique countries, not just
the United States - http://en.wikipedia.org/wik
On 2013-06-13 14:28, david peahi wrote:
>
> Last I heard NANOG stands for North American Network Operators Group.
> Anti-American comments are not welcome here..
-
Smiley? Smiley? I'm looking for the :-) but I don't
see one. How about "crazy eyes"?
On 2013-06-13 14:28, david peahi wrote:
>
> Last I heard NANOG stands for North American Network Operators Group.
> Anti-American comments are not welcome here..
(IMHO there was nothing 'anti-american' about my statement, though I
guess it completely depends on what the definition of that would b
Last I heard NANOG stands for North American Network Operators Group.
Anti-American comments are not welcome here..
David
On Thu, Jun 13, 2013 at 1:36 PM, Jeroen Massar wrote:
> On 2013-06-13 13:01, david peahi wrote:
> > Apologies for making what could be construed as an off topic, political
> They are a state controlled company. You think the PRC's party members
> dont call the shots?
and you live in a police and surveillance state where the govt sniffs
evey packet you send, ever phone call you make, ... other than style,
what's the dfference?
oh, i guess the chinese are only bombi
Are you trying to block flows from becoming established, knowing what
you're looking for ahead of time, or are you looking to examine a
stream of flow establishments, and will snipe off some flows once
you've determined that they should be blocked?
If you know a 5-tuple (src/dst IP, IP protocol, s
Thank you everyone for the help with this. We got what we needed.
-Kevin Dougherty
On Thu, Jun 13, 2013 at 12:07 PM, Kevin D wrote:
> Does anyone know where I could find a supplier of Cisco (or compatible)
> optics in Northern Virginia? We're in a pinch in Ashburn and really need to
> find a GLC
I think one of the possibilities suggested beyond call-home or backdoors
was that they might have installed a secret kill-switch to be activated
against 'enemy' nodes in time of war was an cyber shock and awe campaign.
mg
On Thu, Jun 13, 2013 at 8:24 PM, Michael Thomas wrote:
> On 06/13/201
On Thu, Jun 13, 2013 at 4:47 PM, Phil Fagan wrote:
> I didn't think the bus up to the FGPA was very beefy...wouldn't you need to
> send flows up there off the data-plane for inspection?
>
not sure, but their docs talk about using the fpga for doing HFT... so
I presume it's got the abiliity to see
I didn't think the bus up to the FGPA was very beefy...wouldn't you need to
send flows up there off the data-plane for inspection?
On Thu, Jun 13, 2013 at 2:03 PM, Christopher Morrow wrote:
> On Thu, Jun 13, 2013 at 3:32 PM, Eric Wustrow wrote:
> > Hi all,
> >
> > I'm looking for a way to bloc
On 2013-06-13 13:01, david peahi wrote:
> Apologies for making what could be construed as an off topic, political
> comment, but doesn't everyone in the USA know by now that the PRC
> represents a dagger aimed at the economic and national security of America?
> A military invasion in slow motion as
On Thu, Jun 13, 2013 at 3:32 PM, Eric Wustrow wrote:
> Hi all,
>
> I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10 gbps
> link, with new blocked flows being dropped within a millisecond or so of
> being
> added. I've been looking into using OpenFlow on an HP Procurve, but I
Apologies for making what could be construed as an off topic, political
comment, but doesn't everyone in the USA know by now that the PRC
represents a dagger aimed at the economic and national security of America?
A military invasion in slow motion as it were?
David
On Thu, Jun 13, 2013 at 12:28
On 6/13/13 3:41 PM, Mikael Abrahamsson wrote:
>> > My objection to ZTE/Hauwei when I was at a cellular telco was just this.
>> > I said "there was no way I can agree with Chinese nationals having
>> > unfettered access to our network".
> Why would anyone outside of the US agree to have US produc
Is that also not possibly the case with Cisco, Juniper, XYZ network
equipment vendors? If the Chinese are doing it, I would imagine we (along
with our pals) are doing it as well. It'll be interesting to see what NSA
dox this guy drops in the coming days and weeks ahead. All of the TV
pundits were s
On Thu, 13 Jun 2013, Bryan Fields wrote:
My objection to ZTE/Hauwei when I was at a cellular telco was just this.
I said "there was no way I can agree with Chinese nationals having
unfettered access to our network".
Why would anyone outside of the US agree to have US products in their
networ
If this hasn't been beaten to death, a longer discussion of the threat
of Huawei/ZTE is discussed in this article I wrote for Information
Security a few months back:
http://searchsecurity.techtarget.com/feature/The-Huawei-security-risk-Factors-to-consider-before-buying-Chinese-IT
jms
--
Joel
Hi all,
I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10 gbps
link, with new blocked flows being dropped within a millisecond or so of
being
added. I've been looking into using OpenFlow on an HP Procurve, but I don't
know much in this area, so I'm looking for better alternat
On Thu, Jun 13, 2013 at 3:28 PM, Bryan Fields wrote:
> They are playing our love of "But Wait There's More!". Give us everything at
> deep discounts or for free and receive direct access to the core of every
> major telecom company on the planet. For a few hundred million dollars the
> Chinese go
On 6/13/13 1:35 PM, Warren Bailey wrote:
> They are a state controlled company. You think the PRC's party members dont
> call the shots? I've been to Beijing for work.. I can assure you the
> government has a very known presence through the private community. Often
> times, graduates of their state
there are lots of other attack scenarios besides the simple one you suggest,
as people who try to analyze malware payloads by their outbound network activity
have figured out.
an attack could be time-driven, or driven by some very hard to interpret
network
signalling (such as a response to somet
you could call universal understanding in herndon...not finding their
number immediately
On Thursday, June 13, 2013, Kevin D wrote:
> Does anyone know where I could find a supplier of Cisco (or compatible)
> optics in Northern Virginia? We're in a pinch in Ashburn and really need to
> find a GLC-
On 13/06/2013 18:42, Leo Bicknell wrote:
> A hard coded backdoor password and username.
e.g.: http://www.phenoelit.org/dpl/dpl.html
Or alternatively if you want access to any huawei device with software
older than about a year ago:
http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf
> A sequence of
This is a good point; unless your taping your traffic and examining it for
anything outside of the norm then would you ever see it? However, we are
talking transport protocols, no? I would certainly hope the OOB network was
monitored and controlled.
Hmm.a network of clients/servers strategical
That is far more feasible than mass interception and forwarding of traffic,
though there is (AFAIK) no indication that such a kill switch exists. I
also think that if China wanted to do something nefarious a far better
target would be Lenovo, which still seems to be an accepted vendor in US
govern
On Jun 13, 2013, at 11:35 AM, Patrick W. Gilmore wrote:
> Also, I find it difficult to believe Hauwei has the ability to do DPI or
> something inside their box and still route at reasonable speeds is a bit
> silly. Perhaps they only duplicate packets based on source/dest IP address or
> somet
They are a state controlled company. You think the PRC's party members dont
call the shots? I've been to Beijing for work.. I can assure you the government
has a very known presence through the private community. Often times, graduates
of their state run colleges enter the "private" sector to he
On 13/06/2013 17:48, Job Snijders wrote:
> Good news everyone, 99% of the parsable data in PeeringDB is valid! :-)
you mean: 99% of the parsable data in PeeringDB which is maintained by
people conscientious enough to provide the output of "show bgp sum" from
their routers, is valid.
Good talk, an
On 06/13/2013 10:20 AM, Scott Helms wrote:
Not really, no one has claimed it's impossible to hide traffic. What is true
is that it's not feasible to do so at scale without it becoming obvious.
Steganography is great for hiding traffic inside of legitimate traffic between
two hosts but if
Not really, no one has claimed it's impossible to hide traffic. What is
true is that it's not feasible to do so at scale without it becoming
obvious. Steganography is great for hiding traffic inside of legitimate
traffic between two hosts but if one of my routers starts sending cay
photos somew
Does anyone know where I could find a supplier of Cisco (or compatible)
optics in Northern Virginia? We're in a pinch in Ashburn and really need to
find a GLC-LH-SM locally.
Thanks in advance.
-Kevin Dougherty
On 6/13/13, Michael Thomas wrote:
> On 06/13/2013 09:35 AM, Patrick W. Gilmore wrote:
>>
>> I am assuming a not-Hauwei-only network.
>>
>> The idea that a router could send things through other routers without
>> someone who is looking for it noticing is ludicrous.
>>
>
> ::cough:: steganography :
That was exact statement from the DoD, prior to them finding out they had a
bunch of Chinese fake gear with real back doors built in. I can appreciate a
difference of opinion, but anyone would installs the PRC's cellular solution is
a fool. Never mind security, they just simply don't work. There
On 06/13/2013 09:35 AM, Patrick W. Gilmore wrote:
I am assuming a not-Hauwei-only network.
The idea that a router could send things through other routers without someone
who is looking for it noticing is ludicrous.
::cough:: steganography ::cough::
Mike
So, DPI, duplication, injection into frames.
If each Hauwei knows of each otherI supose you could create a Hauwei
backbone and slowly pick and pull peices of what you want out of the flow.
But how realistic is that really...
On Thu, Jun 13, 2013 at 10:35 AM, Patrick W. Gilmore wrote:
> On J
My dear fellow networkers,
Good news everyone, 99% of the parsable data in PeeringDB is valid! :-)
Measuring this number would have been inpossible without all the submissions
to the research app. Thank you!
If you are interested in the details, please see these slides:
http:/
On 06/13/2013 09:31 AM, Saku Ytti wrote:
On (2013-06-13 12:22 -0400), Patrick W. Gilmore wrote:
Do you think Huawei has a magic ability to transmit data without you noticing?
I always found it dubious that public sector can drop them from tender
citing publicly about spying, when AFAIK Huawei
On Jun 13, 2013, at 12:28 , "Avi Freedman" wrote:
> I disagree.
>
> There have already been lab demos of sfps that could inject frames and APTs
> are pretty advanced, sinister, and can be hard to detect now.
>
> I'm not suggesting Huawei is or isn't enabling badness globally but I think
> it
Yeah, I can't imagine there is any real magic there...mystical protocol not
seen over transport.
On Thu, Jun 13, 2013 at 10:26 AM, david raistrick wrote:
> On Thu, 13 Jun 2013, Phil Fagan wrote:
>
> I've always wondered about thatwould you know that the Huawei is
>> leaking data?
>>
>
> th
Le 13/06/2013 18:22, Randy Bush a écrit :
>> I've always wondered about thatwould you know that the Huawei is
>> leaking data?
> yes. they have a contract to leak it to the NSA
:-)
mh
>
On (2013-06-13 12:22 -0400), Patrick W. Gilmore wrote:
> Do you think Huawei has a magic ability to transmit data without you noticing?
I always found it dubious that public sector can drop them from tender
citing publicly about spying, when AFAIK Huawei hasn't never actually been
to court about
On Thu, 13 Jun 2013, Phil Fagan wrote:
I've always wondered about thatwould you know that the Huawei is
leaking data?
the puddle on the floor isn't a giveaway?
--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org ascii ribbon campaign - s
> I've always wondered about thatwould you know that the Huawei is
> leaking data?
yes. they have a contract to leak it to the NSA
On Jun 13, 2013, at 12:18 , Nick Khamis wrote:
> A local clec here in Canada just teamed up with this company to
> provide cell service to the north:
>
> http://cwta.ca/blog/2012/09/24/ice-wireless-iristel-and-huawei-partner-for-3g-wireless-network-in-northern-canada/
>
> Scary
Why?
Do yo
A local clec here in Canada just teamed up with this company to
provide cell service to the north:
http://cwta.ca/blog/2012/09/24/ice-wireless-iristel-and-huawei-partner-for-3g-wireless-network-in-northern-canada/
Scary
N.
I've always wondered about thatwould you know that the Huawei is
leaking data?
On Thu, Jun 13, 2013 at 10:10 AM, Randy Bush wrote:
> we really should not be putting huawei kit into the backbone, there
> might be backdoors where they can spy on our traffic
>
> oh
>
> well, so much for that
>
we really should not be putting huawei kit into the backbone, there
might be backdoors where they can spy on our traffic
oh
well, so much for that
randy
On Jun 13, 2013, at 3:52, Rich Kulawiec wrote:
> On Wed, Jun 12, 2013 at 09:30:53PM -0400, valdis.kletni...@vt.edu wrote:
>> Ask the ex-CEO of Qwest what happens if you try to turn down an
>> offer the NSA makes you. :)
>
> Ah, yes. This:
>
>https://mailman.stanford.edu/pipermail/liberatio
On Wed, 12 Jun 2013 goe...@anime.net wrote:
cellphones with cameras are probably better for the purposes of covert mass
surveillance, especially ones with front facing cameras. far more of them out
there, and wireless to boot.
suprised everyone gets their panties in a bunch over presumed game
On Wed, Jun 12, 2013 at 09:30:53PM -0400, valdis.kletni...@vt.edu wrote:
> Ask the ex-CEO of Qwest what happens if you try to turn down an
> offer the NSA makes you. :)
Ah, yes. This:
https://mailman.stanford.edu/pipermail/liberationtech/2013-June/008815.html
---rsk
On Thu, Jun 13, 2013 at 11:35 AM, Jonathan Lassoff wrote:
>
> In the PRISM context, I highly doubt their using Splunk for any kind
> of analysis beyond systems and network management. It's not good at
> indexing non-texty-things.
> What if you need to search for events that were geographically
> p
80 matches
Mail list logo
