How does AntiSniff detect sniffing? http://www.l0pht.com/antisniff/tech-paper.html For those without the time needed to wade through L0pht's technical documentation, the short answer is: AntiSniff detects behaviour associated with packet sniffing, it does NOT detect the actual sniffing, which is of course a totally passive activity (at least on networks without switches) For "behaviour associated with sniffing" read: 1. IP stacks which behave differently (broken) when doing Promisc. Your attacker could avoid (or Fix!) broken stacks 2. DNS lookups in response to an invalid packet with an invented IP addr Sniffers can be modified to do DNS off-line, or ignore bizarre packets 3. Slowdown in echo replies of sniffing machine during invalid flood This sounds unreliable, but I'll wait to see it in action NB Some network hardware will go promisc. to handle Multicast. This sucks but it happens, so AntiSniff users shouldn't be surprised if they see a red-light for method (1) above on old machines doing Multicast. The L0pht people have my admiration for fully documenting (and crediting) their approach, but I think they over-hype this tool by saying that it will detect sniffing -- a green light from their product does NOT mean you're not being sniffed. If AntiSniff becomes popular, I'd estimate only a few months grace before Black Hats have made a reduced-functionality sniffer which slips under AntiSniff's radar. I don't have any use for such a tool, but if I did I doubt I'd need more than a week or two to get it right. Otherwise an excellent tool, going in my toolbox once a Unix version is available. Nick.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:22 PDT