Home page logo

nanog logo nanog mailing list archives

Re: huawei
From: Scott Helms <khelms () zcorum com>
Date: Fri, 14 Jun 2013 14:35:08 -0400

On Fri, Jun 14, 2013 at 1:51 PM, <Valdis.Kletnieks () vt edu> wrote:

On Fri, 14 Jun 2013 13:21:09 -0400, Scott Helms said:

How?  There is truly not that much room in the IP packet to play games
if you're modifying all your traffic this would again be pretty easy to
spot.  Again, the easiest/cheapest method is that there is a backdoor

Do you actually examine your traffic and drop packets that have non-zeros
in reserved fields?  (Remember what that did to the deployment of ECN?)

And there's plenty of room if you stick a TCP or IP option header in
there. Do
you actually check for those too?

When I think something odd is happening or I'm benchmarking new gear from a
new vendor, yes I do but the main point is that there is so little benefit
for them do this why would they bother?

How fast can you send data to a cooperating router down the way if you
the low 3 bits of TCP timestamps on a connection routed towards the
router? (SUre, you just busted somebody's RTT calculation, but it will just
decide it's a high-jitter path and deal with it).

In $random_deployment they have no idea what the topology is and odd
behavior is *always *noticed over time.   The amount of time it would take
to transmit useful information would nearly guarantees someone noticing and
the more successful the exploit was the more chance for discovery there
would be.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]