[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] clarification on what Utah State University exit relays store ("360 gigs of log files")



grarpamp:
> On Fri, Aug 21, 2015 at 12:30 AM, Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:
> > I submitted a proposal to tor-dev describing a simple defense against
> > this default configuration:
> > https://lists.torproject.org/pipermail/tor-dev/2015-August/009326.html
> 
> nProbe should be added to the router list, it's a very popular
> opensource IPFIX / netflow tap.
> http://www.ntop.org/products/netflow/nprobe/

While ntop is FLOSS, nProbe itself seems to be closed source. There's a
FAQ on the page about it.

As such, I was only able to discover that its default inactive/idle
timoeut is 30s. I couldn't find a range.
 
> For those into researching other flow capabilities...
> There are also some probes in OS kernels and
> some other opensource taps, they're not as well known
> or utilized as nProbe.
> Other large hardware vendors include Brocade, Avaya,
> Huawei, and Alcatel-Lucent.

Out of all of these, I was only able find info on Alcatel-Lucent. It
uses cflowd, which appears to be a common subcomponent. It's timeout
ranges are the same as Cisco IOS.

What I really need now is any examples of common routers that have a
default inactive/idle timeout below 10s, or allow you to set it below
10s. So far I have not found any.
 
> Lots of SDN and monitoring projects can plug in
> with gear like this, because, FTW...
> 
> http://telesoft-technologies.com/technologies/mpac-ip-7200-dual-100g-ethernet-accelerator-card
> http://www.hitechglobal.com/IPCores/100GigEthernet-MAC-PCS.htm
> http://www.napatech.com/sites/default/files/dn-0820_nt100e3-1-ptp_data_sheet_3.pdf
> https://www.cesnet.cz/wp-content/uploads/2015/01/hanic-100g.pdf
> http://www.ndsl.kaist.edu/~kyoungsoo/papers/2010-lanman-100Gbps.pdf
> http://info.iet.unipi.it/~luigi/netmap/

I think these devices are wandering into the "adversarial admin"
territory (see section 3 of the proposal). I want to focus on the case
where the adversary demands/sniffs/exploits routers likely to be
installed in most networks.


-- 
Mike Perry

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays