[AusNOG] Telstra's Texan Teaser - Tin Foil Stetsun anyone?

[Eric Pinkerton]

>The order isn't necessarily wrong.  There's a number of very well-known security products that do this type of request (although not this exact pattern, at least not for the ones I'm aware of) after the initial request has occurred.  It's generally referred to as a sacrificial lamb concept, where if the content is bad then the initial requester gets infect, but any future requests from other users will be blocked.  Blue Coat, Websense and Zscaler all do this in some form of other, although as I said not with the exact pattern seen here.

>Whilst doing it in the reverse order might seem to make more sense, and might stop that one client getting infected, it introduces additional latency and generally requires significant more capacity to do.

True, but all of those services subsequently block access to infected sites.  My reading of the tests carried out by WPoolers are that this was not the case - so it's either a work in progress and has been employed passively, or it's not about malware at all.  Occams razor seems to fancy the latter.



-- 
Message  protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120625/c6bd843d/attachment.html>