Home page logo
/

nanog logo nanog mailing list archives

Re: huawei
From: Mark Seiden <mis () seiden com>
Date: Thu, 13 Jun 2013 17:53:34 -0700

On Jun 13, 2013, at 5:39 PM, Michael Thomas <mike () mtcc com> wrote:

On 06/13/2013 05:28 PM, Scott Helms wrote:
Bill,

Certainly everything you said is correct and at the same time is not useful
for the kinds traffic interception that's been implied.  20 packets of
random traffic capture is extraordinarily unlikely to contain anything of
interest and eve if you do happen to get a juicy fragment your chances of
getting more ate virtually nil.  An effective system must either capture
and transmit large numbers of packets or have a command and control system
in order to target smaller captures against a shifting list of addresses.
Either of those things are very detectable.   I've spent a significant
amount of time looking at botnet traffic which has the same kind of
requirements.


I think you're having a failure of imagination that anything less than
a massive amount of information sent back to the attacker could be
useful. I think there are lots and lots of things that could be extremely
useful that would only require a simple message with "got here" back to the
attacker if the "got here" condition was sufficiently interesting. Spying doesn't
have the same motivations as typical botnets for illicit commerce.

Mike


and even botnets for illicit commerce may only be interested something that 
is small and may not change very often so will not need regular exflitration...

e.g. on a server, 
the current password of a user who can sudo
or a few private keys






  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault