[66612] in North American Network Operators' Group
Re: sniffer/promisc detector
daemon@ATHENA.MIT.EDU (Alexei Roudnev)
Sat Jan 17 05:32:04 2004
From: "Alexei Roudnev" <alex@relcom.net>
To: "Rubens Kuhl Jr." <rubens@email.com>, <nanog@merit.edu>
Date: Sat, 17 Jan 2004 02:31:06 -0800
Errors-To: owner-nanog-outgoing@merit.edu
The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so
many false information (and track it's usage) that hackers will be catched
before they do something really wrong.
Who do not know - look onto the standard, cage like, mouse - trap with a
piece of cheese inside. -:)
----- Original Message -----
From: "Rubens Kuhl Jr." <rubens@email.com>
To: <nanog@merit.edu>
Sent: Friday, January 16, 2004 3:18 PM
Subject: Re: sniffer/promisc detector
>
>
> That is a battle that was lost at its beginning: the Ethernet 802.1d
> paradigm of "don't know where to send the packet, send it to all ports,
> forget where to send packets every minute" is the weak point.
> There are some common mistakes that sniffing kits do, that can be used to
> detect them (I think antisniff implements them all), but a better approach
> is to make to promisc mode of no gain unless the attacker compromises the
> switch also. In Cisco-world, the solution is called Private VLANs.
> Nortel/Bay used to have ports that could belong to more than one VLAN,
> probably every other swith vendor has its own non-IEEE 802 compliant way
of
> making a switched network more
> secure.
>
>
> Rubens
>
>
> ----- Original Message -----
> From: "Gerald" <gcoon@inch.com>
> To: <nanog@merit.edu>
> Sent: Friday, January 16, 2004 8:35 PM
> Subject: sniffer/promisc detector
>
>
> >
> > Subject says it all. Someone asked the other day here for sniffers. Any
> > progress or suggestions for programs that detect cards in promisc mode
or
> > sniffing traffic?
> >
> > Gerald
> >
>
