On 2016/11/30 16:48, Pete Stevens wrote:
> However, viewing dangerous right wing material leading to overthrow of
> the government in a referendum (e.g. the Telegraph homepage) generated
> 215 ICRs when I just measured it with most web requests generating 50-100
> ICRs per pageview.
Map tiles are fun too.
> (i) That's going to be a lot of data. Invest in disks.
> (ii) You'll need DPI to sniff the SNI destination URL from https
Even though encrypted SNI doesn't seem to be mentioned any more in the
TLS 1.3 discussions,, if you're reconnecting to a server and are doing 0-RTT,
the SNI destination could be in the encrypted part of a connection, so at
least in those cases it's going to be hard to figure out how long a
"session" to a certain website has lasted.
> (iii) What do you do for UDP? Do you log every NTP/DNS/VPN packet?
That's going to be a lot of traffic if a botnet is making high-volume
Don't forget traffic from some browsers to some servers are over UDP too
(QUIC). Google use this for "data saver" proxying as well as for their own
> (iv) Imagine SQLSlammer2. How do you log that?
On a huge wall of hard drives stretching the length of the country :-)