Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Because effectively blocking packets at requires supervising all routes through which they might escape (i.e., managing a lot of dynamic rules on a lot of very critical routers), whereas injecting forged packets only requires one little box.

Kinda like the Berlin Wall. Easier to shoot people attempting to cross than hermetically seal the entire border.



I don't quite follow. You can't inject an RST packet unless you know someone is trying to connect to a Tor node, so you still need to supervise all the routes, right?


Difference is I can do traffic analysis and RST generation over lots of machines (if it gets slow, worst case my RST gets there late). Changing routes/forwarding table action has to happen on machine moving large data, in real time.


You can sniff the traffic out-of-band, possibly implement it on already existing spy/monitoring infrastructure.


And ignoring RST may work. In fact that method worked against earlier implementations of the great firewall of China.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: