nanog mailing list archives
Re: sniffer/promisc detector
From: haesu () towardex com
Date: Sat, 17 Jan 2004 12:55:17 -0500
I think I'll pass this onto zen of Rob T. :) i think he said something along the lines of "security industry is here for my amusement" in the last nanog. so yea.. let's install bunch of honeypots and hope all those "stupid" "hackers" will get caught like the mouse. by the time you think your enemy is less capable than you, you've already lost the war. -J On Sat, Jan 17, 2004 at 02:31:06AM -0800, Alexei Roudnev wrote:
The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so many false information (and track it's usage) that hackers will be catched before they do something really wrong. Who do not know - look onto the standard, cage like, mouse - trap with a piece of cheese inside. -:) ----- Original Message ----- From: "Rubens Kuhl Jr." <rubens () email com> To: <nanog () merit edu> Sent: Friday, January 16, 2004 3:18 PM Subject: Re: sniffer/promisc detectorThat is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of "don't know where to send the packet, send it to all ports, forget where to send packets every minute" is the weak point. There are some common mistakes that sniffing kits do, that can be used to detect them (I think antisniff implements them all), but a better approach is to make to promisc mode of no gain unless the attacker compromises the switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant wayofmaking a switched network more secure. Rubens ----- Original Message ----- From: "Gerald" <gcoon () inch com> To: <nanog () merit edu> Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detectorSubject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc modeorsniffing traffic? Gerald
-- James Jun (formerly Haesu) TowardEX Technologies, Inc. 1740 Massachusetts Ave. Boxborough, MA 01719 Consulting, IPv4 & IPv6 colocation, web hosting, network design & implementation http://www.towardex.com | james () towardex com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | AIM: GigabitEthernet0 NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE
Current thread:
- Re: sniffer/promisc detector, (continued)
- Re: sniffer/promisc detector Deepak Jain (Jan 17)
- Re: sniffer/promisc detector E.B. Dreger (Jan 18)
- Re: sniffer/promisc detector Gerald (Jan 19)
- Re: sniffer/promisc detector Scott McGrath (Jan 19)
- Re: sniffer/promisc detector Gerald (Jan 19)
- Re: sniffer/promisc detector Chris Brenton (Jan 16)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 17)
- Re: sniffer/promisc detector haesu (Jan 17)
- Re: sniffer/promisc detector Valdis . Kletnieks (Jan 17)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 17)
- Re: sniffer/promisc detector Vadim Antonov (Jan 19)
- Re: sniffer/promisc detector Paul Vixie (Jan 19)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 19)
- Re: sniffer/promisc detector Brett Watson (Jan 19)
- Re: sniffer/promisc detector Valdis . Kletnieks (Jan 19)
- Re: sniffer/promisc detector Alexei Roudnev (Jan 20)
- Re: sniffer/promisc detector Dave Israel (Jan 20)
- Re: sniffer/promisc detector Niels Bakker (Jan 20)