nanog mailing list archives
Re: sniffer/promisc detector
From: "Alexei Roudnev" <alex () relcom net>
Date: Sat, 17 Jan 2004 15:34:53 -0800
Sorry, but this _honeypot etc_ is _the only_ reliable defence. And, when I mean honey pot, I do not mean _install ols linux with qpopper and wait_. I mean that, if trhere is concern about sniffering a network (which is a little strange, because it is not much use in sniffering switched network_, this means concern about leaking information. Usually, you do not get much from sniffering - you can not sniff SSL, can not sniff Win2K rdesktop, can not sniff 'ssh'. But you can sniff, for example, keyboard input (and the only protecting agaist such things is SecireID etc), can try to get some passwords and so on. So, having frauded account, even frauded computer, exposing this account into the network, and tracking any attempt to use it is a very effective line of defense. I told already - _do not trust to the smart books about security too much_, they misinterpret many things. For example, they treat _non standard port assigments_ as a very ineffective, while in real life such simple (0 cost) thing decrease a chance of breakage 10 - 1000 times (we investigated 3 month logs and found, that no one in the whole Internet scans wide range of ports, and no one in real life uses tools, reporting _real_ protocols, because they are dramatically slow and so useless). The same here - having frauded, 'labeled', information is a very effective 'complimentary' defense - it let you know, when thing got really wrong, when you have not other indications. And it have 0% of false positives (if this account is never used and someone opened it, he is 100% a hacker or intruder. No any other methods provides you 0 false positives). PS. Even if you are listening to MAC broadcasts, you got much more than you expect. In one poiint, we found , that we had all traffic to one of the servers 'broadcasted', reason was complicated - ARP timeout longer than CAM timeout + nonsimmetrical traffic . You have not any method to detect a passive sniffer (except a few tricks, which can work with particular OS but do not work with other systems), have not a good method to detect keyboard sniffer. So, if you are very serious about security, you must use active defence. ----- Original Message ----- From: <haesu () towardex com> To: "Alexei Roudnev" <alex () relcom net> Cc: "Rubens Kuhl Jr." <rubens () email com>; <nanog () merit edu> Sent: Saturday, January 17, 2004 9:55 AM Subject: Re: sniffer/promisc detector
I think I'll pass this onto zen of Rob T. :) i think he said something along the lines of "security industry is here
for my
amusement" in the last nanog. so yea.. let's install bunch of honeypots and hope all those "stupid"
"hackers"
will get caught like the mouse. by the time you think your enemy is less capable than you, you've already
lost
the war. -J On Sat, Jan 17, 2004 at 02:31:06AM -0800, Alexei Roudnev wrote:The best anty-sniffer is HoneyPot (it is a method, not a tool). Create
so
many false information (and track it's usage) that hackers will be
catched
before they do something really wrong. Who do not know - look onto the standard, cage like, mouse - trap with a piece of cheese inside. -:) ----- Original Message ----- From: "Rubens Kuhl Jr." <rubens () email com> To: <nanog () merit edu> Sent: Friday, January 16, 2004 3:18 PM Subject: Re: sniffer/promisc detectorThat is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of "don't know where to send the packet, send it to all
ports,
forget where to send packets every minute" is the weak point. There are some common mistakes that sniffing kits do, that can be used
to
detect them (I think antisniff implements them all), but a better
approach
is to make to promisc mode of no gain unless the attacker compromises
the
switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant
way
ofmaking a switched network more secure. Rubens ----- Original Message ----- From: "Gerald" <gcoon () inch com> To: <nanog () merit edu> Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detectorSubject says it all. Someone asked the other day here for sniffers.
Any
progress or suggestions for programs that detect cards in promisc
mode
orsniffing traffic? Gerald-- James Jun (formerly Haesu) TowardEX Technologies, Inc. 1740 Massachusetts Ave. Boxborough, MA 01719 Consulting, IPv4 & IPv6 colocation, web hosting, network design &
implementation
http://www.towardex.com | james () towardex com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | AIM: GigabitEthernet0 NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE
Current thread:
- Re: sniffer/promisc detector, (continued)
- Re: sniffer/promisc detector Gerald (Jan 19)
- Re: sniffer/promisc detector Scott McGrath (Jan 19)
- Re: sniffer/promisc detector Gerald (Jan 19)
- Re: sniffer/promisc detector Gerald (Jan 16)
- Re: sniffer/promisc detector Chris Brenton (Jan 16)
- RE: sniffer/promisc detector Wojtek Zlobicki (Jan 16)
- Re: sniffer/promisc detector Rubens Kuhl Jr. (Jan 16)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 17)
- Re: sniffer/promisc detector haesu (Jan 17)
- Re: sniffer/promisc detector Valdis . Kletnieks (Jan 17)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 17)
- Re: sniffer/promisc detector Vadim Antonov (Jan 19)
- Re: sniffer/promisc detector Paul Vixie (Jan 19)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 19)
- Re: sniffer/promisc detector Brett Watson (Jan 19)
- Re: sniffer/promisc detector Valdis . Kletnieks (Jan 19)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 20)
- Re: sniffer/promisc detector Dave Israel (Jan 20)
- Re: sniffer/promisc detector Niels Bakker (Jan 20)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 21)
- Re: sniffer/promisc detector Steven M. Bellovin (Jan 20)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 17)