Events in the Packet World

Network Packets is a technical term over internetworking, however, this term now involves into the conflict of nations very frequently.

Recently, the noises about cyber attack appear during Georgia War. The Russia hackers are launching a large scale DDoS attack regarding to the Georgia government web site.  The result is much more significant than the real war. The Georgia government has to seek asylum for moving their hosting web to abroad at once. Personally, I hope this is not the final result of current Georgia government in reality.

Launching a Packet cyber war is quite simple, so an inconspicuous citizen may launch a very huge attack on any country wide target. The technology usually used is DDoS which means flooding a lot of packets from many machines to the victim.  The machines sending the packets usually are zombie, they are hacked by hackers and remotely controlled to do anything in commands.

It is not easy to stop the war-packets over the Internet, as they are hiding in billions of normal packets every minute. There are a few companies providing the solutions to see the War by monitoring the anomaly traffic across the Internet borders.  Maybe UN should employ more packet-war observers to manage the peace in the cyberspace.

Few hours later, the Beijing Olympic Games will begin. For the topic, this post is not to talk about package delivery by UPS or FedEx for Olympics. I’m always focusing on network packets, this time, with Beijing Olympic.

As led by communist party, China is famous by the clampdown. The monitoring and controlling for the communications moved from phone line to Internet for quite a few years. An unknown wise create a term “Great Firewall” to describe the technology and behaviors of China government to control and monitor the people speech and media publishing over Internet.

What is the Great Firewall (GFW)? The description on Wikipedia is not exactly. On the Wikipedia, The GFW is mixed up with Golden Shield Project in China which is a public internet security project announced led by Public Security Agency. Actually the GFW is managed by another independent department directly reports to central government which covers Internet Virus/Worm detection and censorship of the text, pictures and video on internet.

What GFW does?  In simple, if you travel to China and try to browse some international Web sites with sensitive content, the GFW will actively block your traffic.  What is sensitive?  It can be vary, anti-government reports, rumors of political leaders, sex taps and etc. What really interesting is, the Google becomes the most victim beside the Chinese people. Many sensitive keywords searching from China will immediately cause Google to be blocked for few minutes. That is one of the major reasons for Google failed, or let’s say not so successful, in China when competing with local searching providers.

How GFW implemented? From a trusted source, the GFW already scales up to more than 100,000 computers. Those computers work in parallel to analyze the Internet traffic leaving China. The censorship analysis focus on Web, Email and now moving to Video monitoring as many people reported YouTube (Google again) become unavailable in many locations in China. The mechanism behinds the blocking actually is sending manipulated TCP RST to victim IP to interrupt the connection. The mechanism is working just as IDS, so the GFW technically should be called Great IDS/GIDS. In a recent technical analysis for GFW, it is believed, more techniques are adopted by GFW includes DNS fraud and/or manually updating ACLs(access control lists) in Internet border routers.

The architecture of the GFW is reported consist of many Cisco/Juniper special designed monitoring equipments to forward traffics and Server computers running AMD/Intel CPUs to parse the packet payload inside of the traffic.  Yes, quite a few US vendors involved into this infrastructure. States always provide weapons to help tyrants and then claim to protect the rights of the victims after years.

The Beijing Olympic Games changes a lot on the censorship policy on GFW. The China government was reported commit to unblock most traffic during the Olympic Games.  During the Olympics Games, maybe it is another Internet surfing game for Chinese people to know the world changes during this time window. This change are mainly triggered by numerous complains by international travelers to China recently for Olympics, besides donate to quake-afflicted people and adoption of the Chinese orphans, maybe complains will help the Chinese people to get a better life too.

iPhone 2.0 Firmware was come around 2 weeks ago. It was a good news for all apple fans. Well, after the DEV team released the unlock tool for iPhone. It becomes the good news for packet fans.

Applied the pwnagetool, you can receive many applications which can never be seen in apple iTunes store. The applications includes
Tcpdump - a famous packet capture tool
ngrep - a packet payload seach tool
nmap - exellent network scanning tool
And many more

The iPhone hacker team ships the libpcap, de facto packet capture library, into iPhone also. This is really amazing which simply convert the iPhone to be a network packet processor over the wifi interface.

So you must realize a young guy with an iPhone standing beside you might be a hacker equipped by the handheld Sniffer and scanner. Hacker anywhere

As you may know, Snort, the most famous open source IDS(Intrusion detection System) are now promoting snort 3.0. The new software release currently still in beta. However, through the design and the description posted, the open source giant intends to be a total platform of all packet based software.

The Snort 3.0 emphasized the lower level native support for IPv6, MPLS and GRE. This helps the carrier users have a chance to put snort into the newest networks for wired and wireless data. To be a platform, this is necessary. 

Inline snort previously is an independent project, now the inline feature integrated into Snort 3.0 as standard offering. The multi-threading and subsystem architecture shows ambitious to let plugins or component from 3rd parties to easily port to.

So the snort 3.0 is actually called SnortSP 3.0 which means Snort Security Platform.

As linux unified the core of many operating system distribution, can SnortSP 3.0 unify the core of security systems?

Keep walking…