Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Blocking TCP flows?

Julian Oliver julian at julianoliver.com
Sat Jun 15 01:37:14 PDT 2013


Wow. http://telex.cc is really super. Congrats to Eric and co.

As far as blocking TCP flows, a couple of good NICs (plenty of mem) on a Linux
host, iptables and some ToS is how I'd approach it. You definitely don't want to
be doing it in software, at the application layer. The kernel is closest to the
metal and so iptables would be the way to go, IMO. You can use the '-m string
--string $STRING' feature to match a string in unencrypted traffic and then
drop/accept them with a given rule. 

Cheers,

Julian

..on Sat, Jun 15, 2013 at 08:35:55AM +0200, Eugen Leitl wrote:
> ----- Forwarded message from Phil Fagan <philfagan at gmail.com> -----
> 
> Date: Fri, 14 Jun 2013 13:34:16 -0600
> From: Phil Fagan <philfagan at gmail.com>
> To: Eric Wustrow <ewust at umich.edu>
> Cc: NANOG list <nanog at nanog.org>
> Subject: Re: Blocking TCP flows?
> 
> I think we just discussed this over in the huawei list ;-)
> 
> This is pretty awesome!
> 
> 
> On Fri, Jun 14, 2013 at 12:30 PM, Eric Wustrow <ewust at umich.edu> wrote:
> 
> > Oddly enough, anticensorship. We use similar technology as the censors
> > (DPI, flow blocking), but use our system in a non-censoring country's ISP
> > to detect secret tags in connections from censored countries, and serve as
> > a proxy for them. Once we detect a flow with a secret tag passing through
> > the ISP, we block the real flow, and start spoofing half of the connection.
> > We use this covert channel to communicate to the client and act as a proxy.
> > To the censor, this looks like a normal connection to some innocuous,
> > unrelated (and unblocked) website. The obvious difficulty is convincing
> > ISPs to deploy such a proxy. More details can be found at
> > https://telex.cc/
> >
> >
> >
> > On Fri, Jun 14, 2013 at 3:15 AM, Dobbins, Roland <rdobbins at arbor.net>
> > wrote:
> >
> > >
> > > On Jun 14, 2013, at 2:32 AM, Eric Wustrow wrote:
> > >
> > > > I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10
> > > gbps link, with new blocked flows being dropped within a millisecond or
> > so
> > > of
> > > > being added.
> > >
> > > What's the actual application for this mechanism?
> > >
> > > -----------------------------------------------------------------------
> > > Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> > >
> > >           Luck is the residue of opportunity and design.
> > >
> > >                        -- John Milton
> > >
> > >
> > >
> >
> 
> 
> 
> -- 
> Phil Fagan
> Denver, CO
> 970-480-7618
> 
> ----- End forwarded message -----
> -- 
> Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
> ______________________________________________________________
> ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
> AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org



More information about the liberationtech mailing list