Did anyone already think about how to analyze MPTCP with Argus?
Carter Bullard
carter at qosient.com
Thu Jul 31 10:00:15 EDT 2014
Hey Sebas,
Argus will report the existence of all the TCP connections that
exist, but it will not indicate that MTCP TCPs are related.
Argus will report the use of the TCP option that is used to
negotiate MTCP, so you’ll know that the TCPs are using MTCP,
(TCP option kind 30) but you won’t know which ones are
bound to which.
So MTCP doesn’t break Argus.
The Argus user data buffers between all the related TCPs will
reveal the “stripping” effect that MTCP generates, so you
will be able to figure it out, if your capturing user data.
Carter
On Jul 31, 2014, at 9:31 AM, el draco <eldraco at gmail.com> wrote:
> Hi list.
> Reading about next weekend BlackHat talk about MultiPath TCP protocols
> breaking traffic inspection and trust models, I started wondering if
> any of you though about how would Argus deal with this.
>
> I don't have any implementation yet, so I can not try it. There should
> be a way to detect that MPTCP is at least being used right? If you can
> not see the other 'new' flows... maybe you can detect that the
> protocol seems to be broken but is not retransmitting? I'm imaging
> some type of anomaly detection algorithm may be able to catch this.
>
> http://labs.neohapsis.com/2014/07/29/multipath-tcp-blackhat-briefings-teaser/
>
>
> See you
> sebas
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140731/ed3a9236/attachment.sig>
More information about the argus
mailing list