[AusNOG] Telstra's Texan Teaser - Tin Foil Stetsun anyone?

Scott Howard scott at doc.net.au
Mon Jun 25 11:53:28 EST 2012 

On Sun, Jun 24, 2012 at 6:40 PM, Eric Pinkerton <Eric.Pinkerton at stratsec.net
> wrote:

> >Is this not standard behaviour for most anti-nasty installations on
> desktops?
>
> This thought had crossed my mind, not least because it buggers with
> peoples webstats/analytics in much the same way but I had discounted it
> because the user agent is different from the real request, and would be key
> to determining if the handset in question was vulnerable to say, a drive by
> attack.  Also the sequence is wrong - legit request typically lands first,
> and also both requests seem to be independent (ie if legit request get's a
> 404, the other request still appears)
>

The order isn't necessarily wrong.  There's a number of very well-known
security products that do this type of request (although not this exact
pattern, at least not for the ones I'm aware of) after the initial request
has occurred.  It's generally referred to as a sacrificial lamb concept,
where if the content is bad then the initial requester gets infect, but any
future requests from other users will be blocked.  Blue Coat, Websense and
Zscaler all do this in some form of other, although as I said not with the
exact pattern seen here.

Whilst doing it in the reverse order might seem to make more sense, and
might stop that one client getting infected, it introduces additional
latency and generally requires significant more capacity to do.

  Scott




>
> > Maybe smartphones are doing the same thing and/or Telstra is emulating
> that behaviour for themselves...
>
> If it was an anti malware offering then I would have expected them to test
> and refine it to a point where it is of some use, and then had the
> marketeers doing singing and dancing before enrolling all of their
> customers.  Finally It happens on Telstra's http proxies, not on the
> handset/browser/client etc, etc.
>
>
> --
> Message  protected by MailGuard: e-mail anti-virus, anti-spam and content
> filtering.http://www.mailguard.com.au/mg
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120624/37fc2147/attachment.html>

More information about the AusNOG mailing list