|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: sniffer/promisc detector
In message <[email protected]>, "Laurence F. Sheldon, Jr." writes: > >Gerald wrote: >> >> Subject says it all. Someone asked the other day here for sniffers. Any >> progress or suggestions for programs that detect cards in promisc mode or >> sniffing traffic? > >I can't even imagine how one might do that. Traditionally the only >way to know that you have a mole is to encounter secrets that "had to" >have been stolen. There are a number of heuristics that *sometimes* work. For example, some platforms (older Linux kernels, I think; not sure about current ones; definitely not BSD) will respond if a packet sent to their IP address but with a wrong Ethernet address is received. That will only happen if they're in promiscuous mode. (BSD checks that the packet is addressed to the proper MAC address or is broadcast/multicast.) Another is to emit a packet with a distinctive IP source address, under the assumption that the recipient might look up the host name via a boobytrapped DNS server. In general, though, there's no way to tell. My general advice is to assume that any network is tapped, and to use crypto even locally. And no, switched networks won't protect you from certain kinds of sniffers, though you can detect anomalous ARP traffic. --Steve Bellovin, http://www.research.att.com/~smb
|