Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Detecting a sniffer

From: bet () std sbi com (Bennett Todd)
Date: Tue, 2 May 1995 10:44:49 -0400 (EDT)


You can't "detect a sniffer" from looking at the net; [...]


Not even with a Time Domain Reflectometer?


In certain circumstances you can make certain tests, which will catch some
ways of hooking in a sniffer. TDR is fine if someone tries to hook in a new
tap to your ether. If someone replaces an existing transceiver with a small
multiport, a TDR won't help. If someone uses an already-installed but
currently unused tap, I wouldn't expect TDR to help. Can TDR tell whether an
installed tap is live or not?

If someone is using an existing system you can look for signs on that system
(e.g. growing logfiles, increased system load, etc). If they're forwarding
their traffic (or, as someone else pointed out, doing DNS lookups), you can
look for the resulting generated traffic.

For almost every distinct approach to packet sniffing, there's a reasonable
way to attempt to detect that approach. Taking all together, no one strategy
will suffice, and given a sufficiently determined intruder any set of
detection strategies can be worked around. Some folks take pressurized armor
jackets with pressure sensors to just be a challenge:-).

-Bennett
bet () mordor com
Previous By Date Next
Previous By Thread Next

Current thread: