RE: Firewall and IDS, (the second way).

["Benjamin P. Grubin" <bgrubin () pobox com>]

I'm sorry, but your description of promiscuous mode detection is a
little off.  For latency-based testing you do not need to know what the
"normal" ping response of a host is.  What you need is to test on the
local LAN itself.  At that point you begin pinging the machine you are
testing, note the response time, and then flood the network with traffic
destined for an invalid ethernet address.  If the machine (or one of the
multiple machines) you are pinging exhibits markedly increased ping
response times after the flood is introduced, it is likely in
promiscuous mode.  

I don't remember the details of Mudge's talk on the matter, but this
method has been around for quite a while--albeit it wasn't highly
publicized until the l0pht developed Anti-Sniff.  IIRC, Anti-Sniff had a
few other methods for testing--including OS-specific "fingerprinting"
for promiscuous-mode behavior, and monitoring the network for odd DNS
requests that a compromised host might be originating in an attempt to
resolve IP's of sniffed traffic.  IMHO these other two methods are
window dressing.. The latency testing is the only method that is likely
to work, and is usable against virtually every OS/platform--regardless
of version.

Cheers,
Benjamin P. Grubin, CISSP, GIAC
 
> -----Original Message-----
> From: Zow Terry Brugger [mailto:zow () llnl gov] 
> Sent: Friday, March 15, 2002 9:27 PM
> To: sekure () hadrion com br
> Cc: vuln-dev () securityfocus com
> Subject: Re: Firewall and IDS, (the second way). 
>
>
> > Hi,
>
> Hello!
>
> > I'm "walking" by the internet finding about 
> paper/techniques that can be
> > used to detect systemn with IDS installed. Try to detect
> > snort/snort+aide/quinds/.../ somebody know something like it ??
>
> I recall Munge giving a talk at BlackHat Las Vegas in 2000 
> about something 
> they were doing at @stake/l0ft for detecting sniffers. The 
> idea was to allow 
> sysadmins to detect if one of their machines had been hacked 
> and was acting as 
> a sniffer. The idea was that by putting the interface into 
> promiscuous mode, 
> the machine would take longer to respond to ping packets 
> because there was 
> more traffic for the kernel's IP stack to analyze (whereas 
> usually it'll be 
> filtered out by the NIC). The same should hold true for NIDS, 
> with a couple 
> caviots:
>
> 1. You'd need to know what ping time to expect if the NIC 
> wasn't running in 
> promiscuous mode in order to calculate a delta,
>
> 2. A popular technique to secure NIDS is to not allow them to 
> respond to 
> traffic on the network that they're listening to (that is, 
> bring up, but don't 
> configure) the interface. Doing so will pretty much eliminate 
> the ability to 
> use this technique.
>
> In other words, I wouldn't go around trying to use such a 
> technique to detect 
> NIDS - it'll probably have just the opposite effect of 
> allowing them to detect 
> you.
>
> -"Zow"
>
> from StandardDisclaimer import *