CDR: Re: Carnivore All-Consuming

David Honig honig at sprynet.com
Mon Nov 20 08:36:03 PST 2000 

At 10:34 PM 11/19/00 -0500, Jim Dixon wrote:
>> A PC, using off-the-shelf HW, is capable of filtering a full 100 Mbps link 
>> (144K packets/sec) as demonstrated by the BlackICE products 
>> http://www.networkice.com/html/blackice_sentry.html
>
>First, like any other manufacturer's claims, these should be treated
>with some skepticism.
>
>Second, this is an intrusion detection system.  I suspect that they
>are looking for something simpler than what Carnivore is trying to 
>detect.

Run a raw tcpdump on a machine with 2 cpus, maybe filter online
with something simple (like IP addr) and reconstruct offline.

You're not analyzing on line, you're recognizing addresses and
DMAing buffers which are flushed to nonvolitile storage.

Re: monitoring an OC-XXX with overt access is just a matter of how much you
can pay for fast electronics.  

Take a look at the Caida.org folks' work on monitoring backbones.

Carnivore in its current state may well be a point-tool intended
for leaf-node ISPs, but you can certainly extrapolate to Carnivore 2.0
for Gigabit Ether.   "Just plug your boxes through ours and you'll be
CALEA-compliant, and no more hassles from us.."  An optical tap
(essentially a fiber optic beamsplitter) would be fairly fail-safe to the ISP.




>Third, even if you believe that they can really analyse data at 
>100 Mbps, this still doesn't give them the ability to handle more 
>than one PoP with two DS3 connections.  This is still orders of 
>magnitude away from being able to handle a major site with 
>multiple 2.5G connections, let alone all of the traffic handled by 
>a major ISP.
>
>The original claim was that Carnivore could monitor all of an ISP's 
>traffic.  This isn't true for most ISPs.  And the amazing growth 
>rates that we are seeing in bandwidth and network complexity make it
>exceedingly unlikely that Carnivore or anything like it will ever 
>catch up.
>
>Qwest deployed 14,000 miles of fibre some years ago.  This was
>packaged as conduits carrying 48 fiber pairs, each pair using 
>wave division multiplexing to carry 8 to 16 optical channels, with
>each channel running at 10 Gbps.  That's 160 Gbps per fiber, 
>7,680 Gbps per conduit.  Qwest is one of many carriers.  160 Gbps
>over a fiber pair isn't state of the art.  Qwest has many conduits.
>
>If a PC can monitor 100M of bandwidth, it would take, uhm, about
>seventy seven thousand PCs to monitor one of Qwest's conduits.  Not
>that I believe that one PC can monitor traffic at 100 Mbps.
>
>> >The overall capacity and the complexity of the Internet is increasing
>> >at an explosive rate.  For better or for worse, this far exceeds the
>> >growth in any government's capability of monitoring Internet traffic.
>
>--
>Jim Dixon                  VBCnet GB Ltd           http://www.vbc.net
>tel +44 117 929 1316                             fax +44 117 927 2015
>
>
>

More information about the cypherpunks-legacy mailing list