In article <Pine.LNX.4.10.9907242358330.24292-100000at_private>, Nick Lamb <njl98rat_private> wrote: >How does AntiSniff detect sniffing? >http://www.l0pht.com/antisniff/tech-paper.html > >For those without the time needed to wade through L0pht's technical >documentation, the short answer is: > >AntiSniff detects behaviour associated with packet sniffing, it does >NOT detect the actual sniffing, which is of course a totally passive >activity (at least on networks without switches) > >For "behaviour associated with sniffing" read: > >1. IP stacks which behave differently (broken) when doing Promisc. > Your attacker could avoid (or Fix!) broken stacks > >2. DNS lookups in response to an invalid packet with an invented IP addr > Sniffers can be modified to do DNS off-line, or ignore bizarre packets > >3. Slowdown in echo replies of sniffing machine during invalid flood > This sounds unreliable, but I'll wait to see it in action Indeed; in the Computer Security class Dave Wagner and I taught at Berkeley in Fall '98, a couple of groups did just this. For a quite good paper describing the results, see http://www.cs.berkeley.edu/~daw/classes/cs261/projects/final-reports/fredwong-davidwu.ps - Ian
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:42 PDT