Re: [tor-relays] clarification on what Utah State University exit relays store ("360 gigs of log files")
On 9/2/15, Tim Sammut
... - Cisco IOS (and likely other platforms) will immediately export flows if the cache fills to capacity. This will result in flows being exported in less than inactive timeout,..
there is a second limit here, which is the netflow channel capacity / storage limit, if you introduce simulated flows at a rate beyond this capacity, you may become unobservable (via loss) resulting in failure to correlate. this is why i asked about logical injection via userspace of billions of flows per minute as a resistance measure. (e.g. scapy or other raw inject across a border with cooperating peer, if needed.) best regards,
On Thu, Sep 3, 2015 at 2:03 AM, coderman
there is a second limit here, which is the netflow channel capacity / storage limit, if you introduce simulated flows at a rate beyond this capacity, you may become unobservable (via loss) resulting in failure to correlate.
I've seen ISP saturate their own backbone with netflow during nice UDP DoS, collectors had to be hung off local router ports after that.
this is why i asked about logical injection via userspace of billions of flows per minute as a resistance measure. (e.g. scapy or other raw inject across a border with cooperating peer, if needed.)
If the collector is not protected you can inject bogus flows, implicate your neighbor and fill disks.
participants (2)
-
coderman -
grarpamp