Re: [inbox] Re: Counter detect Network Sniffer
From: Thomas Ptacek (tqbf_at_arbor.net)
Date: 03/01/04
- Previous message: Bugtraq storage account: "Re: Windows based (H)IDS"
- In reply to: Rob Shein: "RE: [inbox] Re: Counter detect Network Sniffer"
- Next in thread: Joseph M Hoffman: "RE: [inbox] Re: Counter detect Network Sniffer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 1 Mar 2004 17:25:41 -0500 To: "Rob Shein" <shoten@starpower.net>
On Mar 1, 2004, at 2:19 PM, Rob Shein wrote:
> to communicate with the sniffing system. Ultimately, if the person
> sniffing
> is somewhat clever (and/or paranoid), it'll be trivial for them to
> evade
So, a few years ago I got mixed up in an Epic Usenet Struggle over the
feasibility of sniffer detection:
http://groups.google.com/groups?
threadm=slrn64ocuf.pj1.tqbf%40joshua.enteract.com
It was a pretty good threat, with posts from Wietse Venema, Mark
Hittinger,
Tim Newsham, and Aleph One.
As the flag-carrier for the "you can remotely detect sniffers" faction,
I got
hammered on over the fact that it is possible to obscure sniffers, no
matter
what you do to detect them. I agree with this assertion, but I don't
think it
has much practical meaning: the sniffers you should be worried about
are the
ones remote attackers install on general-purpose machines that are
already
on the network. It is not difficult to devise a sniffer detection
mechanism for
these that is very hard to defeat.
Obviously, when you get to talking about attackers installing new
physical
devices, or disabling existing machines completely and dedicating them
to
sniffing, your job is much harder. I would just argue that when you're
dealing
with attackers that are this well-armed, "detecting the sniffer" is not
really
your big problem anymore.
--- Thomas H. Ptacek // Product Manager, Arbor Networks (734) 327-0000 --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ---------------------------------------------------------------------------
- Previous message: Bugtraq storage account: "Re: Windows based (H)IDS"
- In reply to: Rob Shein: "RE: [inbox] Re: Counter detect Network Sniffer"
- Next in thread: Joseph M Hoffman: "RE: [inbox] Re: Counter detect Network Sniffer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
