[tor-relays] clarification on what Utah State University exit relays store ("360 gigs of log files")
Tim Sammut
tim at teamsammut.com
Wed Sep 2 21:03:36 UTC 2015
Hi Mike.
On 08/21/2015 05:30 AM, Mike Perry wrote:
> Anyone with netflow experience should feel free to chime in there (or
> here if you are not subscribed to tor-dev), but please be mindful of the
> adversarial considerations in section 3 (unless you believe that
> adversary model to be invalid, but please explain why).
I have some experience with netflow from $previousGig, and only had two
potentially relevant thoughts when looking at your proposal.
- It is common practice to set the active timeout to 1min in SPs in
order to speed detection of attacks with Arbor and similar tools.
- Cisco IOS (and likely other platforms) will immediately export flows
if the cache fills to capacity. This will result in flows being
exported in less than inactive timeout, and my understanding is that
this is a common occurrence.
I hope this helps.
hope you are well
tim
--
Tim Sammut ~ @t1msammut ~ tim at teamsammut.com
Ford-Mozilla Fellow at Amnesty International
More information about the tor-relays
mailing list