IDS mailing list archives
Re: [inbox] Re: Counter detect Network Sniffer
From: Thomas Ptacek <tqbf () arbor net>
Date: Mon, 1 Mar 2004 17:25:41 -0500
On Mar 1, 2004, at 2:19 PM, Rob Shein wrote:
to communicate with the sniffing system. Ultimately, if the person sniffing is somewhat clever (and/or paranoid), it'll be trivial for them to evade
So, a few years ago I got mixed up in an Epic Usenet Struggle over the feasibility of sniffer detection:http://groups.google.com/groups? threadm=slrn64ocuf.pj1.tqbf%40joshua.enteract.com
It was a pretty good threat, with posts from Wietse Venema, Mark Hittinger,
Tim Newsham, and Aleph One.As the flag-carrier for the "you can remotely detect sniffers" faction, I got hammered on over the fact that it is possible to obscure sniffers, no matter what you do to detect them. I agree with this assertion, but I don't think it has much practical meaning: the sniffers you should be worried about are the ones remote attackers install on general-purpose machines that are already on the network. It is not difficult to devise a sniffer detection mechanism for
these that is very hard to defeat.Obviously, when you get to talking about attackers installing new physical devices, or disabling existing machines completely and dedicating them to sniffing, your job is much harder. I would just argue that when you're dealing with attackers that are this well-armed, "detecting the sniffer" is not really
your big problem anymore. --- Thomas H. Ptacek // Product Manager, Arbor Networks (734) 327-0000 --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership.Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------
Current thread:
- RE: Counter detect Network Sniffer Rob Shein (Mar 01)
- Re: Counter detect Network Sniffer Vel (Mar 01)
- Re: Counter detect Network Sniffer Tillman Hodgson (Mar 01)
- RE: [inbox] Re: Counter detect Network Sniffer Curt Purdy (Mar 01)
- RE: [inbox] Re: Counter detect Network Sniffer Rob Shein (Mar 01)
- RE: [inbox] Re: Counter detect Network Sniffer Curt Purdy (Mar 01)
- Re: Counter detect Network Sniffer Tod Beardsley (Mar 02)
- RE: [inbox] Re: Counter detect Network Sniffer Rob Shein (Mar 02)
- Re: [inbox] Re: Counter detect Network Sniffer Thomas Ptacek (Mar 01)
- Re: Counter detect Network Sniffer Vel (Mar 01)
- Re: Counter detect Network Sniffer Sandro Melo (Mar 02)
- <Possible follow-ups>
- Re: Counter detect Network Sniffer Mike Frantzen (Mar 01)