[WEB4LIB] Re: WEB4LIB digest 1709

Edward Wigg e-wigg at evanston.lib.il.us
Fri Jan 28 18:50:05 EST 2000


At 10:11 AM 1/26/2000 -0800, Mike Tibor <tibor at lib.uaa.alaska.edu> wrote:
[deletia]
>Packet sniffers are tough to detect because of their passive nature but
>there appear to be tools available.  One that popped on in a Google search
>on "detecting packet sniffers" is:
>
> http://www.l0pht.com/antisniff/
> ....

And at 10:23 AM 1/26/2000 -0800, Bob Rasmussen <ras at anzio.com> wrote:
>Packet sniffing is totally passive, as has been pointed out, so it can not be
>detected....

These statements appear somewhat contradictory so I was intrigued and went
to look at the l0pht web site. Whether on purpose or not, the information
about how it works is buried down a couple of levels, but look at
<http://www.l0pht.com/antisniff/tech-paper.html>) for details. It seems to
boil down to using three basic tests for whether there is a packet sniffer
on your network:

1) OS specific tests: there are certain packets that are treated
differently by certain specific versions of some operating systems
depending on whether the NIC is in promiscuous mode, where it returns
specially configured packets that it shouldn't; good evidence that the
machine is sniffing.

2) DNS: most packet sniffers are configured do reverse DNS lookups on IP
numbers -- requests for special bogus hosts can be used to detect the
packet sniffing software.

3) Latency tests: machines that are spending a lot of time sniffing network
traffic respond slower to certain requests than those whose NICs are
filtering packets not addressed to them  in hardware.

#1 depends on the OS - there only seem to be tests for a small subset of
operating systems (they list: "older linux kernels," NetBSD, and Win
95/98/NT) -- it is not clear if the list is exhaustive, but it implies
there are many operating systems that cannot be detected.

#2 just implies that you should configure your sniffer not to do the
lookups :-)

#3 works best if you regularly scan machines on your network to give
baseline results and then look for changes in behavior.

In all, reasonable protection against packet sniffing by script kiddies,
and probable detection of the hijacking of one of your hosts as a sniffer.
However, much worse detection of knowledgeable or determined attacks and no
detection at all someone sophisticated with physical access to the net (it
shouldn't be _too_ hard to hack a NIC so that it listens on it's receive
pair and returns no packets on it's send pair no matter what). The result:
a useful but not conclusive tool, and no contradiction :-)

Switched ports are your best bet, but replacing all shared ethernet for
switched ethernet would be expensive in a large institution even if
switches are very cheap nowadays, especially given that packet sniffers are
not the only source of security holes!

Edward




More information about the Web4lib mailing list