Bugtraq mailing list archives
How to detect a sniffer
From: fc () all net (Dr. Frederick B. Cohen)
Date: Fri, 5 May 1995 21:55:14 -0400 (EDT)
Search - very well. The people that claim it is somehow impossible to detect a sniffer seem to believe that this is some super impossible problem, but it is not. Current sniffer technology is finite and bounded - all you have to do is look hard enough. The question you might reasonably ask is "How hard do we have to search?" and the answer is - finitely hard - not infinitely hard. Thus, it is possible, but perhaps quite expensive. The next question might reasonably be: "Is it feasible?" and again the answer is yes. So let's start with hardware and then go to software: Hardware - examine every component with an electron microscope for any deviation from design. Any deviation is examined to determine the electromagnetic impact, and if the impact is to leak packets with a particular energy level, we then have to search the range of locations within the detectable distance of that emission to determine if amplification devices of the right sort are in that range. Repeat recursively till it reaches or doesn't reach humans, and you are done with the physical side. Software - examine all information in the systems and determine all deviations from the original implementation. Examine all deviations to determine function. If function can cause packet contents to move about, apply recursively till the packets reach humans or do not. Search over. Please note that all of these operations are finite and do not fall under the problems of undecidability or any laws of physics that cause them to be impossible or involve unbounded effort. HOWEVER - they require a great deal of effort and are unlikely to be cost effective for any real-world situation - especially when compared to physically securing a small number of critical components and using encryption to prevent abuse outside of those components. I await anxiously the unbounded diatribe that is certain to result from this assessment of the difficulty in detection of sniffers, but please don't use the same sorts of abusive language or insults that you have been throwing around so freely before asking legitimate questions. Just because you don't know how, doesn't make it impossible. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- ASIS "Security Management" Articles and Information On-Line Read "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95
Current thread:
- How to detect a sniffer Dr. Frederick B. Cohen (May 05)
- Re: How to detect a sniffer Terje Normann Marthinussen (May 06)
- Re: How to detect a sniffer Perry E. Metzger (May 07)
- Enough of packet sniffers System Admin (May 07)
- impossible vs. impractical Dr. Frederick B. Cohen (May 07)
- Re: impossible vs. impractical Timothy Newsham (May 08)
- Re: impossible vs. impractical Diego Zamboni (May 08)
- I've had enough of this noise Erich W. Gunther (May 06)
- Re: How to detect a sniffer Frank Wortner (May 08)
- <Possible follow-ups>
- Re: How to detect a sniffer Doug Hughes (May 06)
- Re: How to detect a sniffer Julian Assange (May 06)
(Thread continues...)
- Re: How to detect a sniffer Terje Normann Marthinussen (May 06)