[11129] in bugtraq
Antisniff thoughts
daemon@ATHENA.MIT.EDU (*Hobbit*)
Mon Jul 26 19:21:25 1999
Message-Id: <199907260200.WAA00812@narq.avian.org>
Date: Sun, 25 Jul 1999 22:00:01 -0400
Reply-To: *Hobbit* <hobbit@AVIAN.ORG>
From: *Hobbit* <hobbit@AVIAN.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
1. For a completely passive box, we set the interface to some bogus IP addr,
or 0.0.0.0 if that works, ifconfig -arp, and hoover away. Antisniff would
never see the machine because the machine would never answer anything unless
someone could guess the IP address. Drawback: hard to retrieve logs remotely.
Workaround: one interface as a normal address on a normal reachable net, and a
second interface configured as above sniffing a *different* net. Useful
setup for remotely-administerable IDS boxes; real address lives on a protected
inside net, sniffing interface plugs in to watch the dirty one but is not
addressable.
Workaround for a single interface: As the sniffer starts, reset the interface
to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old
parameters. Or perhaps dynamically flop modes back and forth depending on
whether we saw traffic for the machine's real address arrive. A sniffer with
an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if
there's traffic to its own host, and lay low accordingly.
2. Antisniff evasion possibility: enhancement to detect the first couple of
Antisniff probes, and immediately un-promiscuize the card for a while until
we think it's safe to peek out again. Possibly in a dynamic mode; see #1.
Just a coupla ideas to kick around..
_H*
