On 4/10/06, Eugen Leitl <eugen@leitl.org> wrote:
... If you spend your life at layer 2 of the network (down where packets change direction based on the value of a few bits in the IP header) then looking beyond the IP header (to such exotic places as the port numbers in the TCP header) to recognize that one packet as likely to be HTTP and another as likely to be VOIP is considered "semantic". And it's harder than you'd think it would be at 10Gbps (that's one packet roughly every 200 nanoseconds).
not really, see below.
One of the reasons I am dubious about this article is that the peering point that tries to do intrusion detection between what we used to refer to as "the Milnet" and the rest of the world is unable to monitor packets on 1Gbps links (so they keep adding 1Gbps links every couple of months instead of adding 10Gbps links less frequently). That site has hardware money coming out its ears (they talk about keeping several hundred gigabytes of transaction logs in RAM). And, that site is run in cooperation with NSA.
hardware monies buy things like FPGA driven filters, and these hardware sniffers can in turn easily talk to banks of DDR. there was a paper at USENIX or somewhere that showed Xilinx FPGA's programmed with up to 700+ snort filter rules that could monitor a 10GigE stream in real time (yes, 10GigE) and scaled linear; just the kind of mechanism well funded adversaries like to brute force. [i can't find this paper anymore, does someone else have a link / copy?] nallatech makes some nice FPGA hardware systems that would apply: http://www.nallatech.com/?node_id=1.2.1&id=1 sure, this doesn't capture everything, but i suspect these filters are tuned more for what they want to discard (p2p movie and warez traffic, that'd eliminate quite a chunk, right?) than for what they want to inspect. (that is, what they want to inspect is everything they don't consider useless and filter out) on a side note, the recent interference in the Sourcefire and Check Point merger makes you wonder, doesn't it? what kind of classification systems is the government using from Sourcefire that is so sensitive it must be US owned?
If this equipment did what is being claimed, I think that peering point would know about it and be using it for lesser things like intrusion detection. ---p*zz*]
they don't get to play on the equipment. they only get to splice a fiber to it. you can buy these kinds of high capacity hardware filtering / classifying systems but they are insanely expensive. like http://www.cloudshield.com/ for example.