On Sun, 25 Jul 1999, Nick Lamb wrote: > How does AntiSniff detect sniffing? > http://www.l0pht.com/antisniff/tech-paper.html [...] > For "behaviour associated with sniffing" read: > > 1. IP stacks which behave differently (broken) when doing Promisc. > Your attacker could avoid (or Fix!) broken stacks > > 2. DNS lookups in response to an invalid packet with an invented IP addr > Sniffers can be modified to do DNS off-line, or ignore bizarre packets Or use several easily imagined techniques to spoof DNS queries so that they can't be traced back to the sniffer. This would still provide evidence that _somebody_ is sniffing the net, although it wouldn't prove who. Of course, the sniffer could just as easily not do any active DNS queries, and still get loads of information by passively watching other DNS requests. > 3. Slowdown in echo replies of sniffing machine during invalid flood > This sounds unreliable, but I'll wait to see it in action > > NB Some network hardware will go promisc. to handle Multicast. This sucks > but it happens, so AntiSniff users shouldn't be surprised if they see a > red-light for method (1) above on old machines doing Multicast. There may be a fairly new provoking factor: I exepect a number folks will be using VMWare's "bridged network" mode, which lets the VM appear to live on the host's ethernet segment. This seems to operate by throwing the host's network card into multicast mode so that it can watch for input on a second address. As Nick said, depending on the hardware and driver implementation, this may or may not be equivalent to turning promisc mode on. -- Kenneth Albanowski (kjahdsat_private, CIS: 70705,126)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:02 PDT