1 / 13

Sniffing the sniffers - detecting passive protocol analysers

Sniffing the sniffers - detecting passive protocol analysers. John Baldock, Intel Corp Craig Duffy, Bristol UWE. What is Passive Protocol Analysis?. Also known as sniffing Assumed TCP/IP V4 broadcast networks Easy connection into network MAC card into promiscuous mode

nardo
Download Presentation

Sniffing the sniffers - detecting passive protocol analysers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE

  2. What is Passive Protocol Analysis? • Also known as sniffing • Assumed TCP/IP V4 broadcast networks • Easy connection into network • MAC card into promiscuous mode • Monitor traffic for certain ports ie 21 (ftp) • Look for certain packets ie with SYN bit set

  3. Why is so difficult to detect sniffers? • The attack is essentially passive • They don’t generate unusual traffic • They are normally linked to active intrusion attacks • Only requires a standard machine • Threat is always seen as external • Though it rarely is – 80% are internal!

  4. Root Password sniffer Period Compromises Found 1995 Q1 3 1 1995 Q2 2 0 1995 Q3 11 4 1995 Q4 10 2 1996 Q1 5 3 1996 Q2 10 4 1996 Q3 6 2 1996 Q4 11 5 1997 Q1 5 2 Total 63 23 Janet network security compromises

  5. Some tests for sniffers • IMCP echo response • DNS Lookup • ICMP echo response latency • Fake user and & password • Unrecognised MAC address

  6. ICMP Echo response test

  7. ICMP Echo latency test

  8. The ARP check test results

  9. The check ping test results

  10. The latency test results

  11. Future developments • We are creating • Test to profile machines on a network using sampling • Use of control machine • Expert systems to filter data

  12. What is to be done? #1 • Fixes at topology and switching level • Change from broadcast to switched networks • Use of ‘intelligent’ hubs • Fix ports to MAC addresses • Implement reflexive filtering

  13. What is to be done? #2 • Fixes at protocol level • Encrypt everything! • Use SSH • One time passwords • VPNS • IPng/IPV6

More Related