On Fri, Jun 14, 2013 at 1:51 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Fri, 14 Jun 2013 13:21:09 -0400, Scott Helms said:
How? There is truly not that much room in the IP packet to play games and if you're modifying all your traffic this would again be pretty easy to spot. Again, the easiest/cheapest method is that there is a backdoor there already.
Do you actually examine your traffic and drop packets that have non-zeros in reserved fields? (Remember what that did to the deployment of ECN?)
And there's plenty of room if you stick a TCP or IP option header in there. Do you actually check for those too?
When I think something odd is happening or I'm benchmarking new gear from a new vendor, yes I do but the main point is that there is so little benefit for them do this why would they bother?
How fast can you send data to a cooperating router down the way if you splat the low 3 bits of TCP timestamps on a connection routed towards the cooperating router? (SUre, you just busted somebody's RTT calculation, but it will just decide it's a high-jitter path and deal with it).
In $random_deployment they have no idea what the topology is and odd behavior is *always *noticed over time. The amount of time it would take to transmit useful information would nearly guarantees someone noticing and the more successful the exploit was the more chance for discovery there would be.