Blocking TCP flows?

Phil Fagan philfagan at gmail.com
Sun Jun 16 15:59:08 UTC 2013


Eric,

I haven't read the full paper yet, however, are you simply acting as a
proxy and redirecting based on the secret tag found in the header?

What is your expectation for session/second use? I would think you would
need to scale largely, however, I don't have a good understanding of how
large the market is for users trying to obfuscate the states
firewall/proxy/dns controls etc.

ISP seems like a great place to live for that;  what have they said so far?


On Fri, Jun 14, 2013 at 12:30 PM, Eric Wustrow <ewust at umich.edu> wrote:

> Oddly enough, anticensorship. We use similar technology as the censors
> (DPI, flow blocking), but use our system in a non-censoring country's ISP
> to detect secret tags in connections from censored countries, and serve as
> a proxy for them. Once we detect a flow with a secret tag passing through
> the ISP, we block the real flow, and start spoofing half of the connection.
> We use this covert channel to communicate to the client and act as a proxy.
> To the censor, this looks like a normal connection to some innocuous,
> unrelated (and unblocked) website. The obvious difficulty is convincing
> ISPs to deploy such a proxy. More details can be found at
> https://telex.cc/
>
>
>
> On Fri, Jun 14, 2013 at 3:15 AM, Dobbins, Roland <rdobbins at arbor.net>
> wrote:
>
> >
> > On Jun 14, 2013, at 2:32 AM, Eric Wustrow wrote:
> >
> > > I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10
> > gbps link, with new blocked flows being dropped within a millisecond or
> so
> > of
> > > being added.
> >
> > What's the actual application for this mechanism?
> >
> > -----------------------------------------------------------------------
> > Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> >
> >           Luck is the residue of opportunity and design.
> >
> >                        -- John Milton
> >
> >
> >
>



-- 
Phil Fagan
Denver, CO
970-480-7618



More information about the NANOG mailing list