On Sun, Feb 11, 2007 at 01:03:22PM +0100, Florent Daigni?re (NextGen$) wrote: > * Matthew Toseland <toad at amphibian.dyndns.org> [2007-02-11 00:50:31]: > > > http://www.securityfocus.com/infocus/1843/3 > > > > Paper suggests that traffic flow analysis can in some cases be easier > > than signature matching. Arguably there is some cost because the records > > must be processed by separate hardware, otherwise there is a performance > > cost; I am told this is why the support is turned off on most routers. > > > > Comments? If traffic flow analysis is cheap, then in the long term we > > have serious problems. > > Well, there is nothing new here :) As p2p protocols start to use > cryptography, it becomes easier to find alternate ways of matching > them... Traffic analysis isn't cheap : it's becomming cheaper than > other means, that's all.
Cheaper than traffic categorisation by predictable bytes = cheap. > > From the article : their current "pattern" is : > "For a period of time(x), from on single IP, fixed UDP port -> many > destination IP(y), fixed or random UDP ports" > We are safe from that when using darknet ;) True, I suppose. However, multiple long lived bidirectional UDP connections to domestic IP addresses is a bit of a giveaway. Trying to construct the network topology may improve your hit rate but may require global knowledge. > > According to the end of the article, they plan to use size of packets to > identify the p2p traffic as well ... We are immune to that too as we do > use random size padding, aren't we ? Well... kind of. Somebody recently mentioned that there are a lot of 1113 byte packets when transfers are happening, which suggests maybe there's a bug in the current random 1-100 byte padding implementation. But really, it sucks, we need a better padding strategy. Maybe a list of popular packet sizes that we can round up to. > > NextGen$ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20070214/d1ce2181/attachment.pgp>
