[66605] in North American Network Operators' Group
Re: sniffer/promisc detector
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Jan 16 20:35:50 2004
From: "Steven M. Bellovin" <smb@research.att.com>
To: "Laurence F. Sheldon, Jr." <larrysheldon@cox.net>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Fri, 16 Jan 2004 16:49:57 CST."
<40086A95.8D2DB487@cox.net>
Date: Fri, 16 Jan 2004 20:35:16 -0500
Errors-To: owner-nanog-outgoing@merit.edu
In message <40086A95.8D2DB487@cox.net>, "Laurence F. Sheldon, Jr." writes:
>
>Gerald wrote:
>>
>> Subject says it all. Someone asked the other day here for sniffers. Any
>> progress or suggestions for programs that detect cards in promisc mode or
>> sniffing traffic?
>
>I can't even imagine how one might do that. Traditionally the only
>way to know that you have a mole is to encounter secrets that "had to"
>have been stolen.
There are a number of heuristics that *sometimes* work. For example,
some platforms (older Linux kernels, I think; not sure about current
ones; definitely not BSD) will respond if a packet sent to their IP
address but with a wrong Ethernet address is received. That will only
happen if they're in promiscuous mode. (BSD checks that the packet is
addressed to the proper MAC address or is broadcast/multicast.)
Another is to emit a packet with a distinctive IP source address,
under the assumption that the recipient might look up the host name via
a boobytrapped DNS server.
In general, though, there's no way to tell. My general advice is to
assume that any network is tapped, and to use crypto even locally. And
no, switched networks won't protect you from certain kinds of sniffers,
though you can detect anomalous ARP traffic.
--Steve Bellovin, http://www.research.att.com/~smb
