[atlas] HTTP/HTTPS probe

> about "it was not me, it was someone else" or "it was just a HEAD request, I
> didn't really see that picture" will make a difference in all cases. (We
> will likely be able to trace back the actual request to someone, but it may
> not help the host in question.)

That's why I suggested "OPTIONS" or "TRACE".

There is no real content exchanged in either of those two verbs. Well,
I guess a truly subverted HTTP server could send content with any
verb, but equally you can run a content server over DNS if you try
hard enough...

I don't think it matters that many web servers don't implement those
VERBs as the exchange from a TCP perspective is identical to a GET or
HEAD in either case. The only difference is that the content may be an
options list or a 400 response. Not something a TCP stack cares about.

That is not to ignore the concern you raised. I agree that it's very
real. But it's a question of degree as the risk already exists.

If someone was trawling thru my ISPs dnscache logs and saw queries to
unsavoury host names referred to by UDMs, that could similarly be
embarrassing. Or worse, raise an alert with the local authorities if
the host names in question contains words on a government proscribed
list - as exist in some countries already.

So if TCP measurements were to be allowed - then HTTP OPTIONS in
cleartext is almost as innocuous as a DNS query over TCP which is
almost as innocuous as a DNS query over UDP.

It's also pretty innocuous from the receivers perspective too. Seeing
an occasional OPTIONS request in an HTTP log is pretty mild compared
to all the other cruft sent by spiders and bots. On my personal web
server I see about 1 real request for every 30-40 spider/bot
requests. The anomaly for me is a real person looking at my site :-)


Mark.