Wow. http://telex.cc is really super. Congrats to Eric and co.
As far as blocking TCP flows, a couple of good NICs (plenty of mem) on a Linux host, iptables and some ToS is how I'd approach it. You definitely don't want to be doing it in software, at the application layer. The kernel is closest to the metal and so iptables would be the way to go, IMO. You can use the '-m string --string $STRING' feature to match a string in unencrypted traffic and then drop/accept them with a given rule. Cheers, Julian ..on Sat, Jun 15, 2013 at 08:35:55AM +0200, Eugen Leitl wrote: > ----- Forwarded message from Phil Fagan <philfa...@gmail.com> ----- > > Date: Fri, 14 Jun 2013 13:34:16 -0600 > From: Phil Fagan <philfa...@gmail.com> > To: Eric Wustrow <ew...@umich.edu> > Cc: NANOG list <na...@nanog.org> > Subject: Re: Blocking TCP flows? > > I think we just discussed this over in the huawei list ;-) > > This is pretty awesome! > > > On Fri, Jun 14, 2013 at 12:30 PM, Eric Wustrow <ew...@umich.edu> wrote: > > > Oddly enough, anticensorship. We use similar technology as the censors > > (DPI, flow blocking), but use our system in a non-censoring country's ISP > > to detect secret tags in connections from censored countries, and serve as > > a proxy for them. Once we detect a flow with a secret tag passing through > > the ISP, we block the real flow, and start spoofing half of the connection. > > We use this covert channel to communicate to the client and act as a proxy. > > To the censor, this looks like a normal connection to some innocuous, > > unrelated (and unblocked) website. The obvious difficulty is convincing > > ISPs to deploy such a proxy. More details can be found at > > https://telex.cc/ > > > > > > > > On Fri, Jun 14, 2013 at 3:15 AM, Dobbins, Roland <rdobb...@arbor.net> > > wrote: > > > > > > > > On Jun 14, 2013, at 2:32 AM, Eric Wustrow wrote: > > > > > > > I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10 > > > gbps link, with new blocked flows being dropped within a millisecond or > > so > > > of > > > > being added. > > > > > > What's the actual application for this mechanism? > > > > > > ----------------------------------------------------------------------- > > > Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> > > > > > > Luck is the residue of opportunity and design. > > > > > > -- John Milton > > > > > > > > > > > > > > > -- > Phil Fagan > Denver, CO > 970-480-7618 > > ----- End forwarded message ----- > -- > Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org > ______________________________________________________________ > ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org > AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Julian Oliver http://julianoliver.com http://criticalengineering.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
