Mario,
You can do a few things that help determine if someone is sniffing your network
traffic by fighting technology with greater technology.
Detect if someone is using a promiscuous mode interface.
Detect someone using information from a sniff.
Install a checker on the systems to determine which system's interfaces are sniffing
aka agent based.
Enable MAC address monitoring and access control on switches
There are plenty of good tools for detecting this type of activity from network, to
system level
Antisniff is one of those tools
http://www.securitysoftwaretech.com/antisniff/
The Goal and Purpose of AntiSniff
As with all tools there is no "one size fits all". The industry clambers for the
silver bullet tool. A tool that comes directly off the shelf, needs no configuration
or modifications, has one hundred percent accuracy, and is completely foolproof. Such
a tool does not exist in the security world.
AntiSniff raises the bar. It is, in lieu of better terminology, the start of an
arms-race. Previously there existed no commercial tool to do what AntiSniff does. It
has been run in large scale organizations with great results and accuracy. So what
does it do and what does it not do?
The goal:
Detect machines on an Ethernet/IP network segment that are promiscuously monitoring
traffic not destined to them. The first release is designed to work on flat
non-switched environments.
The reason:
When an intruder obtains elevated privileges on a remote system a few things can
usually be expected. The machine is placed in promiscuous mode to monitor traffic on
the network. This often times rewards the intruder with usernames, accounts,
passwords, community strings, e-mail, and usage statistics to name just a few. Knowing
which machines on the network are in promiscuous mode often points to machines that
are already compromised. Once a machine is compromised it is not uncommon for the
holes that were exploited to be fixed and backdoors to be installed allowing future
remote access. A machine in this state might very well pass network security scanning
software checks with flying colors. A tool was needed to detect this situation.
What it will not detect:
If a machine on the network has no IP address, no IP stack associated with any of its
interfaces, or has no ability to be communicated with over the network then AntiSniff
will not detect it.
This is perfectly acceptable, as such a machine would not be compromised over the
network in the first place. If the machine were compromised over the network and the
network interface was removed this should be noticeable many other ways (i.e. shouts
down the hallway of "hey Joe! The R&D server stopped working!" are a dead giveaway to
a problem of some sort). If the device in question is a physical machine that must be
monitored or controlled in person, such as a dedicated hardware sniffer, then physical
access to the network in question has been obtained. This is a completely different
problem. In addition, such physical network tap devices are usually quite good at
monitoring for runt frames, duplicate IP addresses, etc. but are usually quite poor at
correlating data inside the packets for malicious purposes.
There will be other situations that arise with similar nuances. However, these will be
the minority and often legitimate systems as opposed to compromised multi-user
machines.
The Arms Race:
Can AntiSniff be defeated? Yes - anything can be defeated. Does this matter? Not
nearly as much as one might think. Currently, the methods of evading AntiSniff deal
with either making an interface non-addresable or adding in logic to the promiscuous
network monitoring program to stop monitoring the network when it sees tell tale signs
of AntiSniff running.
The former is not an issue, the reasoning already having been discussed above. The
latter, while a fun exercise, is less of an issue than one might expect. First, if the
monitoring agent turns itself off when it believes AntiSniff to be running then it
defeats, or severely impacts, the purpose of it being on the system in the first
place. Second, the signature of AntiSniff can be modified by the user. With modifiable
signatures the task of determining what is and what is not AntiSniff running on the
network should be much less accurate.
It is not our goal to fix the security posture of the world with a single product.
Merely to improve the current status and sufficiently raise the bar that attacks
intrusions are measured against.
-----Original Message-----
From: Mario Camara [mailto:[EMAIL PROTECTED]]
Sent: Tue 1/8/2002 9:13 PM
To: [EMAIL PROTECTED]
Cc:
Subject: How can I detect someone sniffing my network?
Can someone help me with that?
Mário Câmara
[EMAIL PROTECTED]
[EMAIL PROTECTED]
ICQ: 331 335
