sniffer/promisc detector

• Previous message (by thread): sniffer/promisc detector
• Next message (by thread): sniffer/promisc detector
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorry, but this _honeypot etc_ is _the only_ reliable defence. And, when I
mean honey pot, I do not mean _install ols linux with qpopper and wait_. I
mean that, if trhere is concern about sniffering a network (which is a
little strange, because it is not much use in sniffering switched network_,
this means concern about leaking information.

Usually, you do not get much from sniffering - you can not sniff SSL, can
not sniff Win2K rdesktop, can not sniff 'ssh'. But you can sniff, for
example, keyboard input (and the only protecting agaist such things is
SecireID etc),   can try to get some passwords and so on. So, having frauded
account, even frauded computer, exposing this account into the network, and
tracking any attempt to use it
is a very effective line of defense.

I told already - _do not trust to the smart books about security too much_,
they misinterpret many things. For example, they treat _non standard port
assigments_ as a very ineffective, while in real life such simple (0 cost)
thing decrease a chance of breakage 10 - 1000 times (we investigated 3 month
logs and found, that no one in the whole Internet scans wide range of ports,
and no one in real life uses tools, reporting _real_ protocols, because they
are dramatically slow and so useless). The same here - having frauded,
'labeled', information is a very effective 'complimentary' defense - it let
you know, when thing got really wrong, when you have not other indications.
And it have 0% of false positives (if this account is never used and someone
opened it, he is 100% a hacker or intruder. No any other methods provides
you 0 false positives).

PS. Even if you are listening to MAC broadcasts, you got much more than you
expect. In one poiint, we found , that we had all traffic to one  of the
servers 'broadcasted', reason was complicated - ARP timeout longer than CAM
timeout + nonsimmetrical traffic . You have not any method to detect a
passive sniffer (except a few tricks, which can work with particular OS but
do not work with other systems), have not a good method to detect keyboard
sniffer. So, if you are very serious about security, you must use active
defence.

----- Original Message ----- 
From: <haesu at towardex.com>
To: "Alexei Roudnev" <alex at relcom.net>
Cc: "Rubens Kuhl Jr." <rubens at email.com>; <nanog at merit.edu>
Sent: Saturday, January 17, 2004 9:55 AM
Subject: Re: sniffer/promisc detector


> I think I'll pass this onto zen of Rob T. :)
>
> i think he said something along the lines of "security industry is here
for my
> amusement" in the last nanog.
>
> so yea.. let's install bunch of honeypots and hope all those "stupid"
"hackers"
> will get caught like the mouse.
>
> by the time you think your enemy is less capable than you, you've already
lost
> the war.
>
> -J
>
> On Sat, Jan 17, 2004 at 02:31:06AM -0800, Alexei Roudnev wrote:
> >
> > The best anty-sniffer is HoneyPot (it is a method, not a tool). Create
so
> > many false information (and track it's usage) that hackers will be
catched
> > before they do something really wrong.
> >
> > Who do not know - look onto the standard, cage like, mouse - trap with a
> > piece of cheese inside. -:)
> >
> > ----- Original Message ----- 
> > From: "Rubens Kuhl Jr." <rubens at email.com>
> > To: <nanog at merit.edu>
> > Sent: Friday, January 16, 2004 3:18 PM
> > Subject: Re: sniffer/promisc detector
> >
> >
> > >
> > >
> > > That is a battle that was lost at its beginning: the Ethernet 802.1d
> > > paradigm of "don't know where to send the packet, send it to all
ports,
> > > forget where to send packets every minute" is the weak point.
> > > There are some common mistakes that sniffing kits do, that can be used
to
> > > detect them (I think antisniff implements them all), but a better
approach
> > > is to make to promisc mode of no gain unless the attacker compromises
the
> > > switch also. In Cisco-world, the solution is called Private VLANs.
> > > Nortel/Bay used to have ports that could belong to more than one VLAN,
> > > probably every other swith vendor has its own non-IEEE 802 compliant
way
> > of
> > > making a switched network more
> > > secure.
> > >
> > >
> > > Rubens
> > >
> > >
> > > ----- Original Message ----- 
> > > From: "Gerald" <gcoon at inch.com>
> > > To: <nanog at merit.edu>
> > > Sent: Friday, January 16, 2004 8:35 PM
> > > Subject: sniffer/promisc detector
> > >
> > >
> > > >
> > > > Subject says it all. Someone asked the other day here for sniffers.
Any
> > > > progress or suggestions for programs that detect cards in promisc
mode
> > or
> > > > sniffing traffic?
> > > >
> > > > Gerald
> > > >
> > >
>
> -- 
> James Jun (formerly Haesu)
> TowardEX Technologies, Inc.
> 1740 Massachusetts Ave.
> Boxborough, MA 01719
> Consulting, IPv4 & IPv6 colocation, web hosting, network design &
implementation
> http://www.towardex.com  | james at towardex.com
> Cell: (978)394-2867      | Office: (978)263-3399 Ext. 170
> Fax: (978)263-0033       | AIM: GigabitEthernet0
> NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE

• Previous message (by thread): sniffer/promisc detector
• Next message (by thread): sniffer/promisc detector
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]