Bugtraq mailing list archives
Antisniff thoughts
From: hobbit () AVIAN ORG (*Hobbit*)
Date: Sun, 25 Jul 1999 22:00:01 -0400
1. For a completely passive box, we set the interface to some bogus IP addr, or 0.0.0.0 if that works, ifconfig -arp, and hoover away. Antisniff would never see the machine because the machine would never answer anything unless someone could guess the IP address. Drawback: hard to retrieve logs remotely. Workaround: one interface as a normal address on a normal reachable net, and a second interface configured as above sniffing a *different* net. Useful setup for remotely-administerable IDS boxes; real address lives on a protected inside net, sniffing interface plugs in to watch the dirty one but is not addressable. Workaround for a single interface: As the sniffer starts, reset the interface to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old parameters. Or perhaps dynamically flop modes back and forth depending on whether we saw traffic for the machine's real address arrive. A sniffer with an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if there's traffic to its own host, and lay low accordingly. 2. Antisniff evasion possibility: enhancement to detect the first couple of Antisniff probes, and immediately un-promiscuize the card for a while until we think it's safe to peek out again. Possibly in a dynamic mode; see #1. Just a coupla ideas to kick around.. _H*
Current thread:
- Antisniff thoughts *Hobbit* (Jul 25)
- Re: Antisniff thoughts David Dyer-Bennet (Jul 26)
- Re: Antisniff thoughts + AASS Patch Mike Perry (Jul 26)
- Re: Antisniff thoughts Craig H. Rowland (Jul 26)
- <Possible follow-ups>
- Re: Antisniff thoughts blue0ne (Jul 26)
- Re: Antisniff thoughts Wolfram Schmidt (Jul 27)