[163672] in North American Network Operators' Group
Re: huawei
daemon@ATHENA.MIT.EDU (Mark Seiden)
Thu Jun 13 20:53:52 2013
From: Mark Seiden <mis@seiden.com>
In-Reply-To: <51BA6636.1010403@mtcc.com>
Date: Thu, 13 Jun 2013 17:53:34 -0700
To: Michael Thomas <mike@mtcc.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 13, 2013, at 5:39 PM, Michael Thomas <mike@mtcc.com> wrote:
> On 06/13/2013 05:28 PM, Scott Helms wrote:
>> Bill,
>>=20
>> Certainly everything you said is correct and at the same time is not =
useful
>> for the kinds traffic interception that's been implied. 20 packets =
of
>> random traffic capture is extraordinarily unlikely to contain =
anything of
>> interest and eve if you do happen to get a juicy fragment your =
chances of
>> getting more ate virtually nil. An effective system must either =
capture
>> and transmit large numbers of packets or have a command and control =
system
>> in order to target smaller captures against a shifting list of =
addresses.
>> Either of those things are very detectable. I've spent a =
significant
>> amount of time looking at botnet traffic which has the same kind of
>> requirements.
>>=20
>=20
> I think you're having a failure of imagination that anything less than
> a massive amount of information sent back to the attacker could be
> useful. I think there are lots and lots of things that could be =
extremely
> useful that would only require a simple message with "got here" back =
to the
> attacker if the "got here" condition was sufficiently interesting. =
Spying doesn't
> have the same motivations as typical botnets for illicit commerce.
>=20
> Mike
>=20
and even botnets for illicit commerce may only be interested something =
that=20
is small and may not change very often so will not need regular =
exflitration...
e.g. on a server,=20
the current password of a user who can sudo
or a few private keys
