2
ssh -N -L 6000:localhost:4000 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l U ser 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 The NSA TCP/IP traffic analysis program primarly focuses on the traffic analysis of WAN ATM (Asynchronous Transfer Mode) cell header and payload data at IXPs ( Internet Exchange Points) globally that employ Cisco Systems routing equipment. Concerned persons should implement the following: 1. If possible, ensure that your network routing equipment’s’ ATM switched virtual connections and permanent virtual connections are disabled; AND 2. Tunnel your TCP/IP connections over a new SSH2 session for each and every new WAN TCP/IP routed connection (for EVERY transmission to any WAN address); AND 3. Create transmission latency for each of your new WAN SSH2-enabled TCP/IP routed connections through a modified SSH login command such as: ssh -N -L 6000:localhost:4000 -l User 1.2.3.4 -l User 1.2.3.4 -l U ser 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

Ssh Escape NSA VPN Detection

Embed Size (px)

Citation preview

Page 1: Ssh Escape NSA VPN Detection

7/27/2019 Ssh Escape NSA VPN Detection

http://slidepdf.com/reader/full/ssh-escape-nsa-vpn-detection 1/2

ssh -N -L 6000:localhost:4000 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

The NSA TCP/IP traffic analysis program primarly focuses on the traffic analysis of WAN ATM

(Asynchronous Transfer Mode) cell header and payload data at IXPs (Internet Exchange

Points) globally that employ Cisco Systems routing equipment.

Concerned persons should implement the following:

1.  If possible, ensure that your network routing equipment’s’ ATM switched virtual

connections and permanent virtual connections are disabled; AND

2.  Tunnel your TCP/IP connections over a new SSH2 session for each and every new WAN

TCP/IP routed connection (for EVERY transmission to any WAN address); AND

3.  Create transmission latency for each of your new WAN SSH2-enabled TCP/IP routed

connections through a modified SSH login command such as:

ssh -N -L 6000:localhost:4000 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

Page 2: Ssh Escape NSA VPN Detection

7/27/2019 Ssh Escape NSA VPN Detection

http://slidepdf.com/reader/full/ssh-escape-nsa-vpn-detection 2/2

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

-l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User

1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

Note that localhost is on port 6000 and remote web host proxy is on port 4000; username is User

(if using SSH user authentication); and remote SSH server IP is 1.2.3.4; transmission latency is

created with multiples of -l User 1.2.3.4.

More to follow on creating transmission latency when using remote port forwarding through

OpenVPN.

If your server traffic is a specific collection target of NSA/Level 3 Communications Regional

Security Center (NSA/CSS Georgia) at Fort Gordon Georgia USA or of one of NSA’s non-US

affiliates, flagging of sniffed IXP traffic for subsequent analysis can only be triggered by your

server’s SECOND or subsequent routing connection to one or more WAN addresses. 

Perhaps surprisingly, if your server’s traffic is a collection target, your users’ use of the above SSH

transmission latency will also actually increase users’ upload and download speeds during SSH2sessions.