[11151] in bugtraq
Re: (How) Does AntiSniff do what is claimed?
daemon@ATHENA.MIT.EDU (Ian Goldberg)
Tue Jul 27 19:53:12 1999
Message-Id: <7nimdb$b5g$1@abraham.cs.berkeley.edu>
Date: Mon, 26 Jul 1999 22:10:51 GMT
Reply-To: Ian Goldberg <iang@CS.BERKELEY.EDU>
From: Ian Goldberg <iang@CS.BERKELEY.EDU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In article <Pine.LNX.4.10.9907242358330.24292-100000@chef.ecs.soton.ac.uk>,
Nick Lamb <njl98r@ECS.SOTON.AC.UK> wrote:
>How does AntiSniff detect sniffing?
>http://www.l0pht.com/antisniff/tech-paper.html
>
>For those without the time needed to wade through L0pht's technical
>documentation, the short answer is:
>
>AntiSniff detects behaviour associated with packet sniffing, it does
>NOT detect the actual sniffing, which is of course a totally passive
>activity (at least on networks without switches)
>
>For "behaviour associated with sniffing" read:
>
>1. IP stacks which behave differently (broken) when doing Promisc.
> Your attacker could avoid (or Fix!) broken stacks
>
>2. DNS lookups in response to an invalid packet with an invented IP addr
> Sniffers can be modified to do DNS off-line, or ignore bizarre packets
>
>3. Slowdown in echo replies of sniffing machine during invalid flood
> This sounds unreliable, but I'll wait to see it in action
Indeed; in the Computer Security class Dave Wagner and I taught at Berkeley
in Fall '98, a couple of groups did just this. For a quite good paper
describing the results, see
http://www.cs.berkeley.edu/~daw/classes/cs261/projects/final-reports/fredwong-davidwu.ps
- Ian
