On Sun, 25 Jul 1999, Nick Lamb wrote:
> How does AntiSniff detect sniffing?
> http://www.l0pht.com/antisniff/tech-paper.html
[...]
> For "behaviour associated with sniffing" read:
>
> 1. IP stacks which behave differently (broken) when doing Promisc.
> Your attacker could avoid (or Fix!) broken stacks
>
> 2. DNS lookups in response to an invalid packet with an invented IP addr
> Sniffers can be modified to do DNS off-line, or ignore bizarre packets
Or use several easily imagined techniques to spoof DNS queries so that
they can't be traced back to the sniffer. This would still provide
evidence that _somebody_ is sniffing the net, although it wouldn't prove
who. Of course, the sniffer could just as easily not do any active DNS
queries, and still get loads of information by passively watching other
DNS requests.
> 3. Slowdown in echo replies of sniffing machine during invalid flood
> This sounds unreliable, but I'll wait to see it in action
>
> NB Some network hardware will go promisc. to handle Multicast. This sucks
> but it happens, so AntiSniff users shouldn't be surprised if they see a
> red-light for method (1) above on old machines doing Multicast.
There may be a fairly new provoking factor: I exepect a number folks will
be using VMWare's "bridged network" mode, which lets the VM appear to live
on the host's ethernet segment. This seems to operate by throwing the
host's network card into multicast mode so that it can watch for input on
a second address. As Nick said, depending on the hardware and driver
implementation, this may or may not be equivalent to turning promisc mode
on.
--
Kenneth Albanowski ([EMAIL PROTECTED], CIS: 70705,126)
