Bugtraq mailing list archives
Re: (How) Does AntiSniff do what is claimed?
From: iang () CS BERKELEY EDU (Ian Goldberg)
Date: Mon, 26 Jul 1999 22:10:51 GMT
In article <Pine.LNX.4.10.9907242358330.24292-100000 () chef ecs soton ac uk>, Nick Lamb <njl98r () ECS SOTON AC UK> wrote:
How does AntiSniff detect sniffing? http://www.l0pht.com/antisniff/tech-paper.html For those without the time needed to wade through L0pht's technical documentation, the short answer is: AntiSniff detects behaviour associated with packet sniffing, it does NOT detect the actual sniffing, which is of course a totally passive activity (at least on networks without switches) For "behaviour associated with sniffing" read: 1. IP stacks which behave differently (broken) when doing Promisc. Your attacker could avoid (or Fix!) broken stacks 2. DNS lookups in response to an invalid packet with an invented IP addr Sniffers can be modified to do DNS off-line, or ignore bizarre packets 3. Slowdown in echo replies of sniffing machine during invalid flood This sounds unreliable, but I'll wait to see it in action
Indeed; in the Computer Security class Dave Wagner and I taught at Berkeley in Fall '98, a couple of groups did just this. For a quite good paper describing the results, see http://www.cs.berkeley.edu/~daw/classes/cs261/projects/final-reports/fredwong-davidwu.ps - Ian
Current thread:
- (How) Does AntiSniff do what is claimed? Nick Lamb (Jul 24)
- Re: (How) Does AntiSniff do what is claimed? Paul Boyer (Jul 25)
- Re: (How) Does AntiSniff do what is claimed? Jon Marler (Jul 25)
- Re: (How) Does AntiSniff do what is claimed? David Luyer (Jul 26)
- Re: (How) Does AntiSniff do what is claimed? Trevor Schroeder (Jul 27)
- Re: (How) Does AntiSniff do what is claimed? Trevor Schroeder (Jul 25)
- Re: (How) Does AntiSniff do what is claimed? Ian Goldberg (Jul 26)
- word 97 macrovirus protection problem thomas lakofski (Jul 26)
- Re: word 97 macrovirus protection problem Emils Klotins (Jul 28)
- New ActiveX security problems in Windows 98 PCs David N. Murray (Jul 29)
- Alert: Microsoft's Phone Dialer contains a buffer overrun that allows execution of arbitary code Mnemonix (Jul 30)
- Linux 2.2.10 ipchains Advisory Thomas Lopatic (Jul 27)
- <Possible follow-ups>
- Re: (How) Does AntiSniff do what is claimed? der Mouse (Jul 26)
- Re: (How) Does AntiSniff do what is claimed? Dr. Mudge (Jul 27)