I think I'll pass this onto zen of Rob T. :)
i think he said something along the lines of "security industry is here for my amusement" in the last nanog.
so yea.. let's install bunch of honeypots and hope all those "stupid" "hackers" will get caught like the mouse.
by the time you think your enemy is less capable than you, you've already lost the war.
-J
On Sat, Jan 17, 2004 at 02:31:06AM -0800, Alexei Roudnev wrote:
The best anty-sniffer is HoneyPot (it is a method, not a tool). Create
so
many false information (and track it's usage) that hackers will be catched before they do something really wrong.
Who do not know - look onto the standard, cage like, mouse - trap with a piece of cheese inside. -:)
----- Original Message ----- From: "Rubens Kuhl Jr." <rubens@email.com> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 3:18 PM Subject: Re: sniffer/promisc detector
That is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of "don't know where to send the packet, send it to all
forget where to send packets every minute" is the weak point. There are some common mistakes that sniffing kits do, that can be used to detect them (I think antisniff implements them all), but a better approach is to make to promisc mode of no gain unless the attacker compromises
Sorry, but this _honeypot etc_ is _the only_ reliable defence. And, when I mean honey pot, I do not mean _install ols linux with qpopper and wait_. I mean that, if trhere is concern about sniffering a network (which is a little strange, because it is not much use in sniffering switched network_, this means concern about leaking information. Usually, you do not get much from sniffering - you can not sniff SSL, can not sniff Win2K rdesktop, can not sniff 'ssh'. But you can sniff, for example, keyboard input (and the only protecting agaist such things is SecireID etc), can try to get some passwords and so on. So, having frauded account, even frauded computer, exposing this account into the network, and tracking any attempt to use it is a very effective line of defense. I told already - _do not trust to the smart books about security too much_, they misinterpret many things. For example, they treat _non standard port assigments_ as a very ineffective, while in real life such simple (0 cost) thing decrease a chance of breakage 10 - 1000 times (we investigated 3 month logs and found, that no one in the whole Internet scans wide range of ports, and no one in real life uses tools, reporting _real_ protocols, because they are dramatically slow and so useless). The same here - having frauded, 'labeled', information is a very effective 'complimentary' defense - it let you know, when thing got really wrong, when you have not other indications. And it have 0% of false positives (if this account is never used and someone opened it, he is 100% a hacker or intruder. No any other methods provides you 0 false positives). PS. Even if you are listening to MAC broadcasts, you got much more than you expect. In one poiint, we found , that we had all traffic to one of the servers 'broadcasted', reason was complicated - ARP timeout longer than CAM timeout + nonsimmetrical traffic . You have not any method to detect a passive sniffer (except a few tricks, which can work with particular OS but do not work with other systems), have not a good method to detect keyboard sniffer. So, if you are very serious about security, you must use active defence. ----- Original Message ----- From: <haesu@towardex.com> To: "Alexei Roudnev" <alex@relcom.net> Cc: "Rubens Kuhl Jr." <rubens@email.com>; <nanog@merit.edu> Sent: Saturday, January 17, 2004 9:55 AM Subject: Re: sniffer/promisc detector ports, the
switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant way of making a switched network more secure.
Rubens
----- Original Message ----- From: "Gerald" <gcoon@inch.com> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detector
Subject says it all. Someone asked the other day here for sniffers.
Any
progress or suggestions for programs that detect cards in promisc mode or sniffing traffic?
Gerald
-- James Jun (formerly Haesu) TowardEX Technologies, Inc. 1740 Massachusetts Ave. Boxborough, MA 01719 Consulting, IPv4 & IPv6 colocation, web hosting, network design & implementation http://www.towardex.com | james@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | AIM: GigabitEthernet0 NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE