(How) Does AntiSniff do what is claimed?

[njl98r () ECS SOTON AC UK (Nick Lamb)]

How does AntiSniff detect sniffing?
http://www.l0pht.com/antisniff/tech-paper.html

For those without the time needed to wade through L0pht's technical
documentation, the short answer is:

AntiSniff detects behaviour associated with packet sniffing, it does
NOT detect the actual sniffing, which is of course a totally passive
activity (at least on networks without switches)

For "behaviour associated with sniffing" read:

1. IP stacks which behave differently (broken) when doing Promisc.
 Your attacker could avoid (or Fix!) broken stacks

2. DNS lookups in response to an invalid packet with an invented IP addr
 Sniffers can be modified to do DNS off-line, or ignore bizarre packets

3. Slowdown in echo replies of sniffing machine during invalid flood
 This sounds unreliable, but I'll wait to see it in action

NB Some network hardware will go promisc. to handle Multicast. This sucks
but it happens, so AntiSniff users shouldn't be surprised if they see a
red-light for method (1) above on old machines doing Multicast.

The L0pht people have my admiration for fully documenting (and crediting)
their approach, but I think they over-hype this tool by saying that it
will detect sniffing -- a green light from their product does NOT mean
you're not being sniffed.

If AntiSniff becomes popular, I'd estimate only a few months grace
before Black Hats have made a reduced-functionality sniffer which slips
under AntiSniff's radar. I don't have any use for such a tool, but if
I did I doubt I'd need more than a week or two to get it right.

Otherwise an excellent tool, going in my toolbox once a Unix version is
available.

Nick.