As of yesterday, the performance of Yahoogroup's has
degraded from a couple minutes, to a couple of hours
between posting and distribution. It is rumored that
this is due to Carnivore being installed at major
ISPs throughout the country.
Any insights?
Jay.
A properly installed carnivore should have zero effect on the traffic
passed through it...
joelja
From what I understand of Carnivore (now known as DCS1000) it's a logging
tool more than anything. It doesn't stop anything from going through based
on content, it just logs the content and the Feds come in later and retrieve
their box.
Yahoo could be screening stuff themselves just to cover their backsides.
Or, they could just have a lot of increased traffic due to last weeks
terrorism.
Regards,
Larry Diffey
That's just a silly statement, it's a text processor/parser. It's another
layer. Of course its going to have an effect. On the average person, I would
venture to guess its overwhelmingly negligible, but it could very well
bottleneck someone like Yahoo.
Regards,
Cristopher Daniluk
President & CEO
email: cris@dsnet.net
direct: 330/530-2373
Digital Services Network, Inc
Unleashing Your Potential
voice: 800/845-4822
web: http://www.dsnet.net/
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
Joel Jaeggli
Sent: Monday, September 17, 2001 3:40 PM
To: Jay Fenello
Cc: nanog@merit.edu
Subject: Re: Yahoogroups and CarnivoreA properly installed carnivore should have zero effect on the traffic
passed through it...joelja
>
>
>
> As of yesterday, the performance of Yahoogroup's has
> degraded from a couple minutes, to a couple of hours
> between posting and distribution. It is rumored that
> this is due to Carnivore being installed at major
> ISPs throughout the country.
>
> Any insights?
>
> Jay.
>
> +++
>
> Jay Fenello, Internet Coaching
> http://www.Fenello.com ... 678-585-9765
> http://www.YourWebPartner.com ... Web Support
> http://www.AligningWithPurpose.com ... for a Better World
> -----------------------------------------------------------
> "A new civilization is emerging in our lives, and blind men
> every�where are trying to suppress it." -- Alvin Toffler
>--
--------------------------------------------------------------
------------
Joel Jaeggli
joelja@darkwing.uoregon.edu
Academic User Services
consult@gladstone.uoregon.edu
That's just a silly statement, it's a text processor/parser. It's another
>layer. Of course its going to have an effect. On the average person, I would
>venture to guess its overwhelmingly negligible, but it could very well
>bottleneck someone like Yahoo.
My understanding is that it is no inline, it uses a "monitor port" on a switch which duplicates all traffic.
If that is the case, then it is not a silly statement, it is factually correct.
Can anyone confirm or deny the above?
That's just a silly statement, it's a text processor/parser. It's another
layer. Of course its going to have an effect. On the average person, I would
venture to guess its overwhelmingly negligible, but it could very well
bottleneck someone like Yahoo.
you don't really understand how it works...
see the marcus Thomas fbi - presentation on carnivore at nanog-20
http://videolab.uoregon.edu/events/nanog/nanog_20.html
carnivore is a passive not an active data-collector. traffic is replicated
to it rather than passed through it...
joelja
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yahoo could be screening stuff themselves just to cover their backsides.
Or, they could just have a lot of increased traffic due to last weeks
terrorism.
I think it is traffic levels. Yahoo group servers are most likely choking
on their own. I am subscribed to 10+ Yahoo groups. Some of
these groups have averaged about 2 posts a week. They are now doing 20 an
day. Groups that were doing 20 posts a day, are doing 20 posts an hour.
Given the thousands or groups they have, and the likelihood that most
groups have seen a increase, they may not be able to handle this type of
load.
Jay,
While I am not a supporter of Carnivore, I did have the...privilege, let's
say, of being served with a court order to install one, several years back.
This was before it was quite public, except amongst the extremely paranoid.
Although it creeps me out in principle (which, BTW, did not seem to bother
the assigned FBI agents at all :), it was designed in a way so that it would
not effect the traffic of the network it was being connected to. And believe
me - I tried very hard to find a good reason not to connect it, as the court
order gave an out, if it would damage or degrade our network. I was unable
to find any way that it would degrade that network, despite my best efforts.
Remember - those utilizing this device feel quite strongly that it should
not be detectable. This follows from the principle that, when bugging a
restaurant filled with Mafioso, a boom mike dropped from the ceiling may be
a dead give-away.
- Daniel Golding
No hard information, just logic. This can't be carnivore, because
carnivore, as I understand it, is passive. And you do realize how many
people aren't behing the 'major' ISPs, right? Those people are going to
see the same lag.
Plus, when the rest of the net isn't suffering, and some part of yahoo is?
Chances are it's yahoo's deal. I'm guessing they installed moderators. It
wouldn't be bad policy to not allow encrypted postings, and how the hell
are you going to autofilter that?
Andy
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills 301-682-9972
Xecunet, LLC www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access
Here is a very good and through FAQ about Carnivore
You are correct, Patrick. Carnivore is a passive network monitor, and
passive attacks are undetectable. The only way a DCS1000 system would
interrupt your network would be if it were improperly installed. (The FBI
agent unplugs something he shouldn't, or decides to change your network
layout to get everything flowing past his Carnivore box.
At NANOG 20, the FBI demonstrated Carnivore to the attendees. One of those
attendees was kind enough to write a report and anonymously publish it.
http://cryptome.org/carnivore-demo.htm
It's basically a sniffer with some really nice filtering and
post-processing. By filtering, I mean filtering of the data logged, not of
the data flowing through the network.
--Len.
After reading this FAQ I have a couple questions.
-If the box is running in eth promiscuous mode and using monitor mode
splitters how could it slow down any traffic.. it simply passes by the port
and is recreated?
-In the FAQ they claim there is no IP stack .. so how can it have ip based
filters to let in traffic .. or is this all done with custom software?
-I have not been asked ( yet ) to put one in place, can someone give a very
brief time line of events and where they were asked to put it on their
network?
-I know this is redundant, but why even do it when PGP and SSH are so
readily available?
thanks for any input
Benny Fischer
Chief Technical Officer
Infinet Internet Services
benny@infinet-is.com
480-394-0647
If they're just capturing raw ethernet, they can disassemble the packets themselves without exposing the machine to "everything-over-IP" vulnerabilities. Surprisingly good design.
Still, I can't see how they can do all the analysis with "post-processing". There's just too much data on a big ISP's net. Does it write to a monstrous tape library? I'd think they'd at least want to do packet reassembly and sequencing in memory, then some filtering, for ease of analysis. That would mean in-line software, which could, of course, be brought down with just the right malformed TCP packet sequence. Unless they have much better-than-average programmers at the FBI. Of course if they're doing any filtering at that level, they'll miss steganographic TCP sequence numbers, etc. (if someone's invented that...)
-Bill
Supposedly Carnivore only targets specific kinds of traffic and doesn't
really monitor everything at once. It's not like (again, supposedly)
Echelon that examines everything and then red flags certain items.
Carnivore is only looking for certain things. Also, there is no outside
access to it. Someone has to physically come in and remove the mass media
(what ever that may be: more than likely a hard drive).
My guess is, Carnivore actually sounds a lot more threatening than it is.
Still a violation of civil liberties as far as I'm concerned but it's bark
is worse than it's bite. Especially since everyone has heard of it and
there are ways around it.
Let's see, I want to send email to someone but I want it to be completely
anonymous. I go to safeweb.com or any other anonomizer and get myself a
hotmail address. I then send it to the recipient with PGP encoded text. He
logs on to hotmail through anonomizer and retrieves it, decodes it and reads
it. If I was really smart I'd bounce around a couple of other proxies while
I was at it.
Carnivore? Toothless!
Larry Diffey
Technology Forward
I speak for my employer because I speak for myself.
Supposedly Carnivore only targets specific kinds of traffic and doesn't
really monitor everything at once. It's not like (again, supposedly)
Echelon that examines everything and then red flags certain items.
Wrong.
Carnivore is only looking for certain things. Also, there is no outside
access to it. Someone has to physically come in and remove the mass media
(what ever that may be: more than likely a hard drive).
Wrong. See the report I posted and the section in it about dialin and ISDN
access.