CDR: Re: Carnivore All-Consuming
David Honig
honig at sprynet.com
Mon Nov 20 08:36:03 PST 2000
At 10:34 PM 11/19/00 -0500, Jim Dixon wrote:
>> A PC, using off-the-shelf HW, is capable of filtering a full 100 Mbps link
>> (144K packets/sec) as demonstrated by the BlackICE products
>> http://www.networkice.com/html/blackice_sentry.html
>
>First, like any other manufacturer's claims, these should be treated
>with some skepticism.
>
>Second, this is an intrusion detection system. I suspect that they
>are looking for something simpler than what Carnivore is trying to
>detect.
Run a raw tcpdump on a machine with 2 cpus, maybe filter online
with something simple (like IP addr) and reconstruct offline.
You're not analyzing on line, you're recognizing addresses and
DMAing buffers which are flushed to nonvolitile storage.
Re: monitoring an OC-XXX with overt access is just a matter of how much you
can pay for fast electronics.
Take a look at the Caida.org folks' work on monitoring backbones.
Carnivore in its current state may well be a point-tool intended
for leaf-node ISPs, but you can certainly extrapolate to Carnivore 2.0
for Gigabit Ether. "Just plug your boxes through ours and you'll be
CALEA-compliant, and no more hassles from us.." An optical tap
(essentially a fiber optic beamsplitter) would be fairly fail-safe to the ISP.
>Third, even if you believe that they can really analyse data at
>100 Mbps, this still doesn't give them the ability to handle more
>than one PoP with two DS3 connections. This is still orders of
>magnitude away from being able to handle a major site with
>multiple 2.5G connections, let alone all of the traffic handled by
>a major ISP.
>
>The original claim was that Carnivore could monitor all of an ISP's
>traffic. This isn't true for most ISPs. And the amazing growth
>rates that we are seeing in bandwidth and network complexity make it
>exceedingly unlikely that Carnivore or anything like it will ever
>catch up.
>
>Qwest deployed 14,000 miles of fibre some years ago. This was
>packaged as conduits carrying 48 fiber pairs, each pair using
>wave division multiplexing to carry 8 to 16 optical channels, with
>each channel running at 10 Gbps. That's 160 Gbps per fiber,
>7,680 Gbps per conduit. Qwest is one of many carriers. 160 Gbps
>over a fiber pair isn't state of the art. Qwest has many conduits.
>
>If a PC can monitor 100M of bandwidth, it would take, uhm, about
>seventy seven thousand PCs to monitor one of Qwest's conduits. Not
>that I believe that one PC can monitor traffic at 100 Mbps.
>
>> >The overall capacity and the complexity of the Internet is increasing
>> >at an explosive rate. For better or for worse, this far exceeds the
>> >growth in any government's capability of monitoring Internet traffic.
>
>--
>Jim Dixon VBCnet GB Ltd http://www.vbc.net
>tel +44 117 929 1316 fax +44 117 927 2015
>
>
>
More information about the cypherpunks-legacy
mailing list