On 2016/11/30 16:48, Pete Stevens wrote:
> However, viewing dangerous right wing material leading to overthrow of
> the government in a referendum (e.g. the Telegraph homepage) generated
> 215 ICRs when I just measured it with most web requests generating 50-100
> ICRs per pageview.

Map tiles are fun too.

> (i) That's going to be a lot of data. Invest in disks.
> (ii) You'll need DPI to sniff the SNI destination URL from https
> connections.

Even though encrypted SNI doesn't seem to be mentioned any more in the
TLS 1.3 discussions,, if you're reconnecting to a server and are doing 0-RTT,
the SNI destination could be in the encrypted part of a connection, so at
least in those cases it's going to be hard to figure out how long a
"session" to a certain website has lasted.

> (iii) What do you do for UDP? Do you log every NTP/DNS/VPN packet?

That's going to be a lot of traffic if a botnet is making high-volume
DNS/NTP requests.

Don't forget traffic from some browsers to some servers are over UDP too
(QUIC). Google use this for "data saver" proxying as well as for their own
hosted services.

> (iv) Imagine SQLSlammer2. How do you log that?

On a huge wall of hard drives stretching the length of the country :-)

Reply via email to