[tor-relays] clarification on what Utah State University exit relays store ("360 gigs of log files")

Mike Perry mikeperry at torproject.org
Sat Aug 22 05:09:40 UTC 2015

> On Fri, Aug 21, 2015 at 12:30 AM, Mike Perry <mikeperry at torproject.org> wrote:
> > I submitted a proposal to tor-dev describing a simple defense against
> > this default configuration:
> > https://lists.torproject.org/pipermail/tor-dev/2015-August/009326.html
> nProbe should be added to the router list, it's a very popular
> opensource IPFIX / netflow tap.
> http://www.ntop.org/products/netflow/nprobe/

While ntop is FLOSS, nProbe itself seems to be closed source. There's a
FAQ on the page about it.

As such, I was only able to discover that its default inactive/idle
timoeut is 30s. I couldn't find a range.
> For those into researching other flow capabilities...
> There are also some probes in OS kernels and
> some other opensource taps, they're not as well known
> or utilized as nProbe.
> Other large hardware vendors include Brocade, Avaya,
> Huawei, and Alcatel-Lucent.

Out of all of these, I was only able find info on Alcatel-Lucent. It
uses cflowd, which appears to be a common subcomponent. It's timeout
ranges are the same as Cisco IOS.

What I really need now is any examples of common routers that have a
default inactive/idle timeout below 10s, or allow you to set it below
10s. So far I have not found any.
> Lots of SDN and monitoring projects can plug in
> with gear like this, because, FTW...
> http://telesoft-technologies.com/technologies/mpac-ip-7200-dual-100g-ethernet-accelerator-card
> http://www.hitechglobal.com/IPCores/100GigEthernet-MAC-PCS.htm
> http://www.napatech.com/sites/default/files/dn-0820_nt100e3-1-ptp_data_sheet_3.pdf
> https://www.cesnet.cz/wp-content/uploads/2015/01/hanic-100g.pdf
> http://www.ndsl.kaist.edu/~kyoungsoo/papers/2010-lanman-100Gbps.pdf
> http://info.iet.unipi.it/~luigi/netmap/

I think these devices are wandering into the "adversarial admin"
territory (see section 3 of the proposal). I want to focus on the case
where the adversary demands/sniffs/exploits routers likely to be
installed in most networks.

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150821/762b3a72/attachment.sig>

More information about the tor-relays mailing list