grarpamp:
On Fri, Aug 21, 2015 at 12:30 AM, Mike Perry mikeperry@torproject.org wrote:
I submitted a proposal to tor-dev describing a simple defense against this default configuration: https://lists.torproject.org/pipermail/tor-dev/2015-August/009326.html
nProbe should be added to the router list, it's a very popular opensource IPFIX / netflow tap. http://www.ntop.org/products/netflow/nprobe/
While ntop is FLOSS, nProbe itself seems to be closed source. There's a FAQ on the page about it.
As such, I was only able to discover that its default inactive/idle timoeut is 30s. I couldn't find a range.
For those into researching other flow capabilities... There are also some probes in OS kernels and some other opensource taps, they're not as well known or utilized as nProbe. Other large hardware vendors include Brocade, Avaya, Huawei, and Alcatel-Lucent.
Out of all of these, I was only able find info on Alcatel-Lucent. It uses cflowd, which appears to be a common subcomponent. It's timeout ranges are the same as Cisco IOS.
What I really need now is any examples of common routers that have a default inactive/idle timeout below 10s, or allow you to set it below 10s. So far I have not found any.
Lots of SDN and monitoring projects can plug in with gear like this, because, FTW...
http://telesoft-technologies.com/technologies/mpac-ip-7200-dual-100g-etherne... http://www.hitechglobal.com/IPCores/100GigEthernet-MAC-PCS.htm http://www.napatech.com/sites/default/files/dn-0820_nt100e3-1-ptp_data_sheet... https://www.cesnet.cz/wp-content/uploads/2015/01/hanic-100g.pdf http://www.ndsl.kaist.edu/~kyoungsoo/papers/2010-lanman-100Gbps.pdf http://info.iet.unipi.it/~luigi/netmap/
I think these devices are wandering into the "adversarial admin" territory (see section 3 of the proposal). I want to focus on the case where the adversary demands/sniffs/exploits routers likely to be installed in most networks.