[163704] in North American Network Operators' Group
Re: Blocking TCP flows?
daemon@ATHENA.MIT.EDU (Eric Wustrow)
Fri Jun 14 14:31:13 2013
In-Reply-To: <2901AB0C-77FC-405A-BA59-047D064E1CC3@arbor.net>
Date: Fri, 14 Jun 2013 14:30:51 -0400
From: Eric Wustrow <ewust@umich.edu>
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Oddly enough, anticensorship. We use similar technology as the censors
(DPI, flow blocking), but use our system in a non-censoring country's ISP
to detect secret tags in connections from censored countries, and serve as
a proxy for them. Once we detect a flow with a secret tag passing through
the ISP, we block the real flow, and start spoofing half of the connection.
We use this covert channel to communicate to the client and act as a proxy.
To the censor, this looks like a normal connection to some innocuous,
unrelated (and unblocked) website. The obvious difficulty is convincing
ISPs to deploy such a proxy. More details can be found at https://telex.cc/
On Fri, Jun 14, 2013 at 3:15 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
>
> On Jun 14, 2013, at 2:32 AM, Eric Wustrow wrote:
>
> > I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10
> gbps link, with new blocked flows being dropped within a millisecond or so
> of
> > being added.
>
> What's the actual application for this mechanism?
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> Luck is the residue of opportunity and design.
>
> -- John Milton
>
>
>
