huawei

Mark Seiden mis at seiden.com
Fri Jun 14 00:53:34 UTC 2013


On Jun 13, 2013, at 5:39 PM, Michael Thomas <mike at mtcc.com> wrote:

> On 06/13/2013 05:28 PM, Scott Helms wrote:
>> Bill,
>> 
>> Certainly everything you said is correct and at the same time is not useful
>> for the kinds traffic interception that's been implied.  20 packets of
>> random traffic capture is extraordinarily unlikely to contain anything of
>> interest and eve if you do happen to get a juicy fragment your chances of
>> getting more ate virtually nil.  An effective system must either capture
>> and transmit large numbers of packets or have a command and control system
>> in order to target smaller captures against a shifting list of addresses.
>> Either of those things are very detectable.   I've spent a significant
>> amount of time looking at botnet traffic which has the same kind of
>> requirements.
>> 
> 
> I think you're having a failure of imagination that anything less than
> a massive amount of information sent back to the attacker could be
> useful. I think there are lots and lots of things that could be extremely
> useful that would only require a simple message with "got here" back to the
> attacker if the "got here" condition was sufficiently interesting. Spying doesn't
> have the same motivations as typical botnets for illicit commerce.
> 
> Mike
> 

and even botnets for illicit commerce may only be interested something that 
is small and may not change very often so will not need regular exflitration...

e.g. on a server, 
the current password of a user who can sudo
or a few private keys








More information about the NANOG mailing list