Here we go again - ISP DPI, but is it interception?

James Firth james2 at jfirth.net
Wed Jul 28 14:49:26 BST 2010


> It seems that they are monitoring their outbound servers to compile
> lists
> of IP addresses to which stuff is being sent. That would be perfectly
> legal if used, for example, to fine-tune their routeing tables.
> 
> But they go further by examining the port number and only including
> packets addressed to port 80 in their lists. That is trickier,

More research is needed on this.  I have server logs from sites I run that I
can use to establish shadow visitors, and whether any - if found - go to the
exact page (i.e. full URL) or just the top level website.

> So basically, I think what they are doing is potentially a Good Thing,
> and
> most likely lawful.

What if shadow visits to the site, hypothesising that the full URL is
visited, caused undesired consequences such as repeat posting or triggered
other state-changing behaviour in the destination website?

> 
> Once they have a list of addresses of sites, they they are perfectly
> entitled to visit those sites (as is anybody else) and to probe them
> for
> malware. If the site declines their probes, or demands some password
> that
> they don't know, then the site is perfectly entitled to do that.

And herein could lie a flaw in such technology.  Already I've seen posted
online the alleged IP range for the servers used for the shadow visits.

Sites hosting malware could easily use this information to block or send
clean pages to the monitoring sites.  And of course it would be far more
questionable if the monitoring itself spoofed the IP address of the original
visitor, leading to scenarios such as "you claim you accidentally visited a
website hosting questionable content, but never returned, yet logs retrieved
from the server in question show you made a second visit less than 2 minutes
later."

(OK that's a tad tenuous but hopefully explains a point).

James Firth












More information about the ukcrypto mailing list