[66601] in North American Network Operators' Group
Re: sniffer/promisc detector
daemon@ATHENA.MIT.EDU (Rubens Kuhl Jr.)
Fri Jan 16 18:23:10 2004
Reply-To: "Rubens Kuhl Jr." <rubens@email.com>
From: "Rubens Kuhl Jr." <rubens@email.com>
To: <nanog@merit.edu>
Date: Fri, 16 Jan 2004 21:18:37 -0200
Errors-To: owner-nanog-outgoing@merit.edu
That is a battle that was lost at its beginning: the Ethernet 802.1d
paradigm of "don't know where to send the packet, send it to all ports,
forget where to send packets every minute" is the weak point.
There are some common mistakes that sniffing kits do, that can be used to
detect them (I think antisniff implements them all), but a better approach
is to make to promisc mode of no gain unless the attacker compromises the
switch also. In Cisco-world, the solution is called Private VLANs.
Nortel/Bay used to have ports that could belong to more than one VLAN,
probably every other swith vendor has its own non-IEEE 802 compliant way of
making a switched network more
secure.
Rubens
----- Original Message -----
From: "Gerald" <gcoon@inch.com>
To: <nanog@merit.edu>
Sent: Friday, January 16, 2004 8:35 PM
Subject: sniffer/promisc detector
>
> Subject says it all. Someone asked the other day here for sniffers. Any
> progress or suggestions for programs that detect cards in promisc mode or
> sniffing traffic?
>
> Gerald
>
