On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock <lor...@hathcock.org> wrote: > NANOG: > > Here's the really scary question for me. > > Would it be possible for NSA-payload traffic that originates on our private > networks that is destined for the NSA to go undetected by our IDS systems? >
Yup. Absolutely. Without a doubt. > For example tcpdump-based IDS systems like Snort has been rooted to ignore > or not report packets going back to the NSA? Or netflow on Cisco devices > not reporting NSA traffic? Or interface traffic counters discarding > NSA-packets to report that there is no usage on the interface when in fact > there is? > Do you detect 100% of malware in your IDS? Why would anyone need to do anything with your IDS? Craft a PDF, DOC, Java, Flash, or anything else that can run code that people download all the time with payload of unknown signature. This isn't really a network discussion. This is just to say - I seriously doubt there's anything wrong with your IDS - don't skin a cat with a flame thrower, it just doesn't need to be that hard. > Here's another question. What traffic do we look for on our networks that > would be going to the NSA? > Standard https on port 443 maybe? That's how I'd send it. If you need to send something bigger than normal, maybe compromise the email server and have a few people send off some 5 - 10 meg messages? Depends on your normal user base. If you've got a big, complex user base, it's not hard to stay under the radar. Google 'Mandiant APT1' for some real good reading.