netflow in the core used for surveillance

used to get dissidents, activists, and journos killed

at&t, comcast, ... zayo, please tell us you do not do this.


I would go on the assumption they do (or allow others to), always have and always will. And if not this way, they will find other ways such as one infamous example-

You know they do.

How Data Brokers Sell Access to the Backbone of the Internet

at&t, comcast, ... zayo, please tell us you do not do this.

You know they do.

No, you don't know that.

The above all certainly collect this info. Not all sell it to anyone who

You don't know that I don't know that.

Matt Harris​

Infrastructure Lead



Looking for help?


Email Support

We build customized end‑to‑end technology solutions powered by NetFire Cloud.

You don’t know that I don’t know that.

some probably do? you don’t know which though?

I think, though, that part of the problem the article does not point out is:

  1. I run a network
  2. I need (for reasons) netflow data and analysis
  3. I can’t do that my self
  4. several companies put hands up:
    “I can do that for you, costs $X/month and I have a nice dashboard! with graphs!”

ok, so I bought that… and for another slice of product the company providing ALSO
provides ‘threat intelligence’ or other things, based on my netflow and yours and hers…

It’s unclear to me that (if done properly) the data shown to me about ‘threats’ (or whatever):
is not a conglomeration of all other customers of (FGP) netflow data…
is not available to internal tools of FGP, and internal users at FGP.
is not being made available from FGP to for money OR for ‘good’.

I don’t think it’s a surprise to anyone that netflow stitched together can reveal a lot about
what’s going on on your network, including: “who uses vpn service X?” or “vpn user X is possibly browsing
site Y” etc…


It is quite possible that some are simply the victim of their own ignorance. I know of an ISP where one of their last-mile hardware vendors was pushing hard to get junior technical staff and senior non-technical staff to agree to share netflow data. When senior technical staff found out, they told the vendor that they would not share the data and to stop. The vendor persisted. After probing to find out what vendor was used in the core & peering parts of the ISP's network, one of the vendor's staff kindly provided netflow configuration to the junior technical staff, along with specific instructions to apply it to their transit/peering ports. The destination of the flows was a server under the complete control of the vendor, not the ISP. This was brought to the attention of senior technical staff and you can guess what happened.

The vendor is not one of the majors, they are still relatively young. I won't share the name on the list.

-- Stephen


We all know many folks send their *flow to someone or somewhere. In exchange for pretty graphs for intelligence. I suspect in many cases this data is then reused in many cases for many purposes. But let’s not overplay the risk here. There would be much easier ways for rogue nations, bad guys/good/in the middle nation to find out about dissidents, activists, and journos than flow data. I think letting any of those people think ToR is safe as being a much bigger risk.


Disclosures for those that don’t know. I’ve never worked with Team Cymru, I do know them fairly well and believe them to be the good guys, I do currently have a relationship with them, I do not currently work for a large SP that sends them data. I have worked A LOT with flow data over the last 20 years, for large SPs, small vendors, and all things in between.

The NY Times did a story within the last couple years showing how easy it was to identify an individual solely from purchasing anonymized data commonly sold by advertisers and the like.

Now take that and be able to pin a person to an IP, and aggregate flow data to find out everything someone does.

used to get dissidents, activists, and journos killed

at&t, comcast, … zayo, please tell us you do not do this.

Im finding this really hard to believe for the "Team Cymru" part at least. Being originally a provider of security centric configuration of network components... IOS ... Juniper etc... and maintaining such a high standard for years that they turn foot and resell/sell data on customer traffic obtained from other networks they themself are a customer of for resale of data. This feels like a hit job on a company that secures more than it insecures by gov't passage.

Not trying to start a flame war here but... what do you do to your most secure threat? (That has financial and influential aspects)...

I'm confused. Quoting from the article:
"In a recent research report on an Israeli spyware vendor called Candiru, Citizen Lab thanked Team Cymru.

Thanks to Team Cymru for providing access to their Pure Signal Recon product. Their tool’s ability to show Internet traffic telemetry from the past three months provided the breakthrough we needed to identify the initial victim from Candiru’s infrastructure," the report reads. Citizen Lab did not respond to multiple requests for comment."

So Team Cymru helped expose themselves as to getting dissidents, activists and journalists killed?

Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer

I guess Cambridge Analytica ain't just for the FaceMash...