Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: (How) Does AntiSniff do what is claimed?
From: iang () CS BERKELEY EDU (Ian Goldberg)
Date: Mon, 26 Jul 1999 22:10:51 GMT


In article <Pine.LNX.4.10.9907242358330.24292-100000 () chef ecs soton ac uk>,
Nick Lamb  <njl98r () ECS SOTON AC UK> wrote:
How does AntiSniff detect sniffing?
http://www.l0pht.com/antisniff/tech-paper.html

For those without the time needed to wade through L0pht's technical
documentation, the short answer is:

AntiSniff detects behaviour associated with packet sniffing, it does
NOT detect the actual sniffing, which is of course a totally passive
activity (at least on networks without switches)

For "behaviour associated with sniffing" read:

1. IP stacks which behave differently (broken) when doing Promisc.
Your attacker could avoid (or Fix!) broken stacks

2. DNS lookups in response to an invalid packet with an invented IP addr
Sniffers can be modified to do DNS off-line, or ignore bizarre packets

3. Slowdown in echo replies of sniffing machine during invalid flood
This sounds unreliable, but I'll wait to see it in action

Indeed; in the Computer Security class Dave Wagner and I taught at Berkeley
in Fall '98, a couple of groups did just this.  For a quite good paper
describing the results, see

http://www.cs.berkeley.edu/~daw/classes/cs261/projects/final-reports/fredwong-davidwu.ps

   - Ian


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]