Snort mailing list archives
Re: DSL
From: Rich Adamson <radamson () routers com>
Date: Tue, 7 Jan 2003 06:30:54 -0600
Is it a fact that you can only sniff the traffic on DSL that's directed only to you and you caint sniff any other traffic at all?
That depends 100% on how your telephone company and ISP configured their dsl offering. In most US cases, the telephone company provides the basic dsl pipe, and most of the layer 2 and/or 3 components are implemented by the ISP. There has been three popular implementations. 1. small telephone companies frequently use a relatively inexpensive dslam-like device that act similar to a hub. The equipment allows one dsl subscriber to see and interact with some of the other dsl subscriber's systems. (Most of these devices appear almost like ethernet extenders with no layer 2 or 3 functionality to speak of.) 2. some ISPs implement their head-end equipment in bridging mode as it's the easiest configuration to use when you don't understand all the technical dsl details. Later they generally wish they would have used a true layer-3 approach, but it becomes too costly for them to revisit their dsl customers to switch to another implementation. The bridging approach will allow broadcasts and some other traffic to appear at a customer's location that has no business for going there (wastes bandwidth). Given the chatty nature of Microsoft systems, you will see some traffic from other dsl customer machines. 3. some ISPs implement true layer-3 at the head-end, reducing the amount of other dsl customer traffic seen at your location. That implementation generally requires a fair amount of understanding and planning prior to activating a dsl offering. 4. regardless of how the telephone company and ISP configure their equipment, the majority use dsl modems at the customer location that implements Network Address Translation (NAT). The NAT function provides a very basic firewall-like function that further reduces (and in many cases eliminates) any traffic from neighboring dsl users. Pure guess is that something greater then 90% of all dsl modems in use implement NAT in one form or another. Since most people don't have access to the equipment necessary to sniff (or snort) the actual physical dsl circuit, whether adjacent dsl customer traffic appears on the wire is mostly irrelevant (except for the small amount of bandwidth consumed by this unproductive neighbor broadcast traffic, etc). If you sniff/snort the ethernet side of the dsl modem (as opposed to the physical dsl circuit) and see broadcasts, the implementation is probably either #1 or #2, above. The telphone companies generally consider the dsl modem as "customer owned" equipment. Therefore, a fairly large percentage of dsl providers leave the dsl modem open to console, telnet, web and/or snmp access in one direction or the other. In some implementations, the modem is password protected, but the password is given to the customer since the box is considered customer owned. If a hacker-type subscribes to dsl services, he can reconfigure the dsl modem in some cases to allow him to sniff/snort more of his neighboring dsl customer traffic then what would normally be seen. If the telephone company uses #1, above, the hacker would see most/all neighboring dsl traffic. If security is a concern for a dsl customer (regardless of the above), then the customer should consider an on-site firewall-like device to reduce the possibility of neighbors rummaging through their mostly open PC systems, etc. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users