In article <[EMAIL PROTECTED]>,
Nick Lamb <[EMAIL PROTECTED]> wrote:
>How does AntiSniff detect sniffing?
>http://www.l0pht.com/antisniff/tech-paper.html
>
>For those without the time needed to wade through L0pht's technical
>documentation, the short answer is:
>
>AntiSniff detects behaviour associated with packet sniffing, it does
>NOT detect the actual sniffing, which is of course a totally passive
>activity (at least on networks without switches)
>
>For "behaviour associated with sniffing" read:
>
>1. IP stacks which behave differently (broken) when doing Promisc.
> Your attacker could avoid (or Fix!) broken stacks
>
>2. DNS lookups in response to an invalid packet with an invented IP addr
> Sniffers can be modified to do DNS off-line, or ignore bizarre packets
>
>3. Slowdown in echo replies of sniffing machine during invalid flood
> This sounds unreliable, but I'll wait to see it in action
Indeed; in the Computer Security class Dave Wagner and I taught at Berkeley
in Fall '98, a couple of groups did just this. For a quite good paper
describing the results, see
http://www.cs.berkeley.edu/~daw/classes/cs261/projects/final-reports/fredwong-davidwu.ps
- Ian
