5/11/2023 0 Comments Tor vs vpn pl![]() ![]() Do you think a bad actor would do this to try and mislead security professionals? If you want to monitor for electronic data theft, we have setup the following for several customers: ![]() A -> B) when the actual download was in the lower traffic direction (i.e. Bad actors could easily upload more data in one direction (i.e. If the value behind determining NetFlow directionality is to figure out “whether a host uploaded or downloaded information”, I’m not sure the best strategy is to look at the volume of packets or bytes in either direction. Now I’ll reel it in a little and start wrapping up this post. Okay, I took off on a bit of a rant there. Directionality as defined by a flow collection vendor doesn’t work nearly as well today as it did 10 years ago. However, with “HTTPS everywhere”, it’s now very difficult to say because it could be connecting to a VPN and then on to somewhere bad. Internal Host A and External Host B: Host A almost certainly initiates the communications, but to what? A web site? A C&C server via Tor, P2P, or VPN? If it’s a web site or other common web service, then it’s an apparent client/server relationship. ![]() You have both systems to look at, so determining which one is offering the service is relatively trivial and need not involve flow “best-guesswork”. Internal Host A and Internal Host B: In this case, two hosts you control are talking, and it’s really a matter of whether or not the communications are authorized.Even if a flow collection vendor could accurately determine flow directionality (which they can’t), there are really two cases to look at: The handshake(s) that happen after the initial connection is established is far more important. For example, take the use of today’s peering applications such as Skype, Bittorrent, and the use of tunnels like VPN or Tor. The trouble is, finding the true relationship between two hosts is very difficult when you connect through an intermediate node or nodes where traffic is encrypted. My guess is that a flow collector vendor claiming to determine flow or NetFlow direction makes an educated guess from NetFlow v5 traffic on who initiated the connection using flow start times (using a single exporter so timestamps are relative), packet counts, and port numbers. This is a continuation of Flow Directionality Support : Part 1 which should be read first. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |