Well,
One easy way to ID this is to monitor for the ARP broadcast, or check
for hosts doing this broadcast. For example... when using ettercap
(one of those nice arp tools) ot does:Building host list for netmask 255.255.255.0, please wait... Sending 7 ARP request... <--- You can detect this. Another thing that you can do is to run checks for other systems doing arp poisoning, ettercap offers this feature as well: [cC] - check for other poisoner... So, one way to defend against this sniffing is to check for these poisoners every X minutes and notify the admin IF such a thing happens. [Cerebrum Gateway] <gawd># ettercap -c -N ettercap 0.6.7 (c) 2002 ALoR & NaGA Your IP: xxx.xxx.xxx.xxx with MAC: 00:10:4B:C8:2A:4E on Iface: de0 Building host list for netmask 255.255.255.0, please wait... Sending 7 ARP request... * |==================================================>| 100.00 % Resolving 5 hostnames... * |==================================================>| 100.00 % Checking for poisoners... MAC of xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx are identical ! you got a poisoner!!! =o) On Wed, 2002-11-06 at 23:27, Michael Ungar wrote: > >From security books I've read it's not hard to > eavesdrop on network communication using tools like > dsniff, even in a switched environment. My > understanding is that it is accomplished quite easily > by ARP poisoning your victim in thinking your > machine's MAC as the router MAC & after interception, > re-forwarding the traffic back to the true router MAC. > > Assuming the network environment is large (e.g., > configuring port switches for specific MAC addresses > not practical) & desktop security cannot be guaranteed > (and thereby cannot prevent people from allowing > machines to IP forward), how can one defend against > other than encrypting data. > > Thanks....Mike > > > __________________________________________________ > Do you Yahoo!? > U2 on LAUNCH - Exclusive greatest hits videos > http://launch.yahoo.com/u2 -- -ATD- http://www.snosoft.com ------------------------------------------------------------- Secure Network Operations | Strategic Reconnaissance Team Cerebrum Project | [EMAIL PROTECTED] -------------------------------------------------------------
signature.asc
Description: This is a digitally signed message part
