Re: (How) Does AntiSniff do what is claimed?

[iang () CS BERKELEY EDU (Ian Goldberg)]

In article <Pine.LNX.4.10.9907242358330.24292-100000 () chef ecs soton ac uk>,
Nick Lamb  <njl98r () ECS SOTON AC UK> wrote:
> How does AntiSniff detect sniffing?
> http://www.l0pht.com/antisniff/tech-paper.html
>
> For those without the time needed to wade through L0pht's technical
> documentation, the short answer is:
>
> AntiSniff detects behaviour associated with packet sniffing, it does
> NOT detect the actual sniffing, which is of course a totally passive
> activity (at least on networks without switches)
>
> For "behaviour associated with sniffing" read:
>
> 1. IP stacks which behave differently (broken) when doing Promisc.
> Your attacker could avoid (or Fix!) broken stacks
>
> 2. DNS lookups in response to an invalid packet with an invented IP addr
> Sniffers can be modified to do DNS off-line, or ignore bizarre packets
>
> 3. Slowdown in echo replies of sniffing machine during invalid flood
> This sounds unreliable, but I'll wait to see it in action

Indeed; in the Computer Security class Dave Wagner and I taught at Berkeley
in Fall '98, a couple of groups did just this.  For a quite good paper
describing the results, see

http://www.cs.berkeley.edu/~daw/classes/cs261/projects/final-reports/fredwong-davidwu.ps

   - Ian