mailing list archives
From: Scott Helms <khelms () zcorum com>
Date: Thu, 13 Jun 2013 20:28:06 -0400
Certainly everything you said is correct and at the same time is not useful
for the kinds traffic interception that's been implied. 20 packets of
random traffic capture is extraordinarily unlikely to contain anything of
interest and eve if you do happen to get a juicy fragment your chances of
getting more ate virtually nil. An effective system must either capture
and transmit large numbers of packets or have a command and control system
in order to target smaller captures against a shifting list of addresses.
Either of those things are very detectable. I've spent a significant
amount of time looking at botnet traffic which has the same kind of
On Jun 13, 2013 6:45 PM, "William Herrin" <bill () herrin us> wrote:
On Thu, Jun 13, 2013 at 1:20 PM, Scott Helms <khelms () zcorum com> wrote:
if one of my routers starts sending cat
photos somewhere, no matter how cute, I'm gonna consider that suspicious.
If once every 24 hours or so your router borrows the source IP of a
packet it recently passed and uses it to send a burst of 20
intentionally unacknowledged packets containing a cat photo, your odds
of noticing are very close to zero and your odds of tracing it to the
router are even worse.
Implementing a magic-packet remote kill switch is even easier... and
completely undetectable until used. With a little effort you could
implement it in the forwarding hardware where even a thorough analysis
of the firmware image can't detect it.
William D. Herrin ................ herrin () dirtside com bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004