[Details on the AT&T/NSA wiretapping]

coderman coderman at gmail.com
Mon Apr 10 12:56:12 PDT 2006


On 4/10/06, Eugen Leitl <eugen at leitl.org> wrote:
> ...
>          If you spend your life at layer 2 of the network (down where
>          packets change direction based on the value of a few bits in
>          the IP header) then looking beyond the IP header (to such
>          exotic places as the port numbers in the TCP header) to
>          recognize that one packet as likely to be HTTP and another as
>          likely to be VOIP is considered "semantic".  And it's harder
>          than you'd think it would be at 10Gbps (that's one packet
>          roughly every 200 nanoseconds).

not really, see below.


>          One of the reasons I am dubious about this article is that
>          the peering point that tries to do intrusion detection
>          between what we used to refer to as "the Milnet" and the rest
>          of the world is unable to monitor packets on 1Gbps links (so
>          they keep adding 1Gbps links every couple of months instead
>          of adding 10Gbps links less frequently).  That site has
>          hardware money coming out its ears (they talk about keeping
>          several hundred gigabytes of transaction logs in RAM).  And,
>          that site is run in cooperation with NSA.

hardware monies buy things like FPGA driven filters, and these
hardware sniffers can in turn easily talk to banks of DDR.

there was a paper at USENIX or somewhere that showed Xilinx FPGA's
programmed with up to 700+ snort filter rules that could monitor a
10GigE stream in real time (yes, 10GigE) and scaled linear; just the
kind of mechanism well funded adversaries like to brute force. [i
can't find this paper anymore, does someone else have a link / copy?]

nallatech makes some nice FPGA hardware systems that would apply:
http://www.nallatech.com/?node_id=1.2.1&id=1

sure, this doesn't capture everything, but i suspect these filters are
tuned more for what they want to discard (p2p movie and warez traffic,
that'd eliminate quite a chunk, right?) than for what they want to
inspect.  (that is, what they want to inspect is everything they don't
consider useless and filter out)

on a side note, the recent interference in the Sourcefire and Check
Point merger makes you wonder, doesn't it?  what kind of
classification systems is the government using from Sourcefire that is
so sensitive it must be US owned?


>          If this equipment did what is being claimed, I think that
>          peering point would know about it and be using it for lesser
>          things like intrusion detection. ---p*zz*]

they don't get to play on the equipment.  they only get to splice a fiber to it.

you can buy these kinds of high capacity hardware filtering /
classifying systems but they are insanely expensive.  like
http://www.cloudshield.com/ for example.





More information about the cypherpunks-legacy mailing list