Bugtraq mailing list archives
(How) Does AntiSniff do what is claimed?
From: njl98r () ECS SOTON AC UK (Nick Lamb)
Date: Sun, 25 Jul 1999 00:37:11 +0100
How does AntiSniff detect sniffing? http://www.l0pht.com/antisniff/tech-paper.html For those without the time needed to wade through L0pht's technical documentation, the short answer is: AntiSniff detects behaviour associated with packet sniffing, it does NOT detect the actual sniffing, which is of course a totally passive activity (at least on networks without switches) For "behaviour associated with sniffing" read: 1. IP stacks which behave differently (broken) when doing Promisc. Your attacker could avoid (or Fix!) broken stacks 2. DNS lookups in response to an invalid packet with an invented IP addr Sniffers can be modified to do DNS off-line, or ignore bizarre packets 3. Slowdown in echo replies of sniffing machine during invalid flood This sounds unreliable, but I'll wait to see it in action NB Some network hardware will go promisc. to handle Multicast. This sucks but it happens, so AntiSniff users shouldn't be surprised if they see a red-light for method (1) above on old machines doing Multicast. The L0pht people have my admiration for fully documenting (and crediting) their approach, but I think they over-hype this tool by saying that it will detect sniffing -- a green light from their product does NOT mean you're not being sniffed. If AntiSniff becomes popular, I'd estimate only a few months grace before Black Hats have made a reduced-functionality sniffer which slips under AntiSniff's radar. I don't have any use for such a tool, but if I did I doubt I'd need more than a week or two to get it right. Otherwise an excellent tool, going in my toolbox once a Unix version is available. Nick.
Current thread:
- (How) Does AntiSniff do what is claimed? Nick Lamb (Jul 24)
- Re: (How) Does AntiSniff do what is claimed? Paul Boyer (Jul 25)
- Re: (How) Does AntiSniff do what is claimed? Jon Marler (Jul 25)
- Re: (How) Does AntiSniff do what is claimed? David Luyer (Jul 26)
- Re: (How) Does AntiSniff do what is claimed? Trevor Schroeder (Jul 27)
- Re: (How) Does AntiSniff do what is claimed? Trevor Schroeder (Jul 25)
- Re: (How) Does AntiSniff do what is claimed? Ian Goldberg (Jul 26)
- word 97 macrovirus protection problem thomas lakofski (Jul 26)
- Re: word 97 macrovirus protection problem Emils Klotins (Jul 28)
- New ActiveX security problems in Windows 98 PCs David N. Murray (Jul 29)
- Alert: Microsoft's Phone Dialer contains a buffer overrun that allows execution of arbitary code Mnemonix (Jul 30)
(Thread continues...)