huawei

Scott Helms khelms at zcorum.com
Fri Jun 14 00:28:06 UTC 2013


Bill,

Certainly everything you said is correct and at the same time is not useful
for the kinds traffic interception that's been implied.  20 packets of
random traffic capture is extraordinarily unlikely to contain anything of
interest and eve if you do happen to get a juicy fragment your chances of
getting more ate virtually nil.  An effective system must either capture
and transmit large numbers of packets or have a command and control system
in order to target smaller captures against a shifting list of addresses.
Either of those things are very detectable.   I've spent a significant
amount of time looking at botnet traffic which has the same kind of
requirements.
On Jun 13, 2013 6:45 PM, "William Herrin" <bill at herrin.us> wrote:

> On Thu, Jun 13, 2013 at 1:20 PM, Scott Helms <khelms at zcorum.com> wrote:
> > if one of my routers starts sending cat
> > photos somewhere, no matter how cute, I'm gonna consider that suspicious.
>
> Hi Scott,
>
> If once every 24 hours or so your router borrows the source IP of a
> packet it recently passed and uses it to send a burst of 20
> intentionally unacknowledged packets containing a cat photo, your odds
> of noticing are very close to zero and your odds of tracing it to the
> router are even worse.
>
> Implementing a magic-packet remote kill switch is even easier... and
> completely undetectable until used. With a little effort you could
> implement it in the forwarding hardware where even a thorough analysis
> of the firmware image can't detect it.
>
> Regards,
> Bill Herrin
>
>
> --
> William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>



More information about the NANOG mailing list