Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? Gerald
Gerald wrote:
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic?
I can't even imagine how one might do that. Traditionally the only way to know that you have a mole is to encounter secrets that "had to" have been stolen.
if you have multiple network interfaces you can insure that the one doing the snooping is undetectable by the tools that people wrote to detect promiscious ethernets... joelja On Fri, 16 Jan 2004, Laurence F. Sheldon, Jr. wrote:
Gerald wrote:
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic?
I can't even imagine how one might do that. Traditionally the only way to know that you have a mole is to encounter secrets that "had to" have been stolen.
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
In message <40086A95.8D2DB487@cox.net>, "Laurence F. Sheldon, Jr." writes:
Gerald wrote:
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic?
I can't even imagine how one might do that. Traditionally the only way to know that you have a mole is to encounter secrets that "had to" have been stolen.
There are a number of heuristics that *sometimes* work. For example, some platforms (older Linux kernels, I think; not sure about current ones; definitely not BSD) will respond if a packet sent to their IP address but with a wrong Ethernet address is received. That will only happen if they're in promiscuous mode. (BSD checks that the packet is addressed to the proper MAC address or is broadcast/multicast.) Another is to emit a packet with a distinctive IP source address, under the assumption that the recipient might look up the host name via a boobytrapped DNS server. In general, though, there's no way to tell. My general advice is to assume that any network is tapped, and to use crypto even locally. And no, switched networks won't protect you from certain kinds of sniffers, though you can detect anomalous ARP traffic. --Steve Bellovin, http://www.research.att.com/~smb
----- Original Message ----- From: "Laurence F. Sheldon, Jr." <larrysheldon@cox.net> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 10:49 PM Subject: Re: sniffer/promisc detector
Gerald wrote:
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode
or
sniffing traffic?
I can't even imagine how one might do that. Traditionally the only way to know that you have a mole is to encounter secrets that "had to" have been stolen.
In an all switched network, sniffing can normally only be accomplished with MAC address spoofing (Man In The Middle). Watching for MAC address changes (from every machines perspective), along with scanning for seperate machines with the same ARP address, and using switches that can detect when a MAC address moves between ports will go a long way towards detecting sniffing. It can also be worthwhile setting up a machine on a switch to detect non-broadcast traffic that isn't for it - sometimes older switches get 'leaky' when they shouldn't be used. I'm not sure if it's still the case, but it used to be the case that when Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its IP address even if the MAC address on that packet is wrong. Sending TCP/IP packets to all the IP addresses on the subnet, where the MAC address contains wrong information, will tell you which machines are Linux machines in promiscuous mode (the answer from those machines will be a RST packet). Some tools that google turned up (haven't tried them myself): http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html http://www.packetstormsecurity.org/sniffers/antisniff/ Apparently Man In The Middle attacks can also be detected by measuring the latency under different traffic loads, but I haven't looked to much into that. Sam
It is also possible to sniff a network using only the RX pair so most of the tools to detect cards in P mode will fail. The new Cisco 6548's have TDR functionality so you could detect unauthorized connections by their physical characteristics. But there are also tools like ettercap which exploit weaknesses within switched networks. See http://ettercap.sourceforge.net/ for more details (and gain some add'l grey hairs in the process). The question here is what are you trying to defend against?. Scott C. McGrath On Sat, 17 Jan 2004, Sam Stickland wrote:
----- Original Message ----- From: "Laurence F. Sheldon, Jr." <larrysheldon@cox.net> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 10:49 PM Subject: Re: sniffer/promisc detector
Gerald wrote:
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode
or
sniffing traffic?
I can't even imagine how one might do that. Traditionally the only way to know that you have a mole is to encounter secrets that "had to" have been stolen.
In an all switched network, sniffing can normally only be accomplished with MAC address spoofing (Man In The Middle). Watching for MAC address changes (from every machines perspective), along with scanning for seperate machines with the same ARP address, and using switches that can detect when a MAC address moves between ports will go a long way towards detecting sniffing.
It can also be worthwhile setting up a machine on a switch to detect non-broadcast traffic that isn't for it - sometimes older switches get 'leaky' when they shouldn't be used.
I'm not sure if it's still the case, but it used to be the case that when Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its IP address even if the MAC address on that packet is wrong. Sending TCP/IP packets to all the IP addresses on the subnet, where the MAC address contains wrong information, will tell you which machines are Linux machines in promiscuous mode (the answer from those machines will be a RST packet).
Some tools that google turned up (haven't tried them myself):
http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html
http://www.packetstormsecurity.org/sniffers/antisniff/
Apparently Man In The Middle attacks can also be detected by measuring the latency under different traffic loads, but I haven't looked to much into that.
Sam
On Saturday 17 January 2004 11:18 am, Scott McGrath wrote:
It is also possible to sniff a network using only the RX pair so most of the tools to detect cards in P mode will fail. The new Cisco 6548's have TDR functionality so you could detect unauthorized connections by their physical characteristics.
But there are also tools like ettercap which exploit weaknesses within switched networks. See http://ettercap.sourceforge.net/ for more details (and gain some add'l grey hairs in the process).
The question here is what are you trying to defend against?.
Maybe this is just a stupid comment, but if the original poster is that concerned with their LAN being sniffed, then maybe they should consider using IPSec on their LAN. -- Donovan Hill Electronics Engineering Technologist, CCNA www.lazyeyez.net, www.gwsn.com
On Sat, 17 Jan 2004 11:30:13 PST, Donovan Hill said:
Maybe this is just a stupid comment, but if the original poster is that concerned with their LAN being sniffed, then maybe they should consider using IPSec on their LAN.
Amen to that. It's actually easier to sleep at night if you start off with the assumption that every single packet is received by both the intended recipient and the entity you *least* want getting said packet, and then designing your communications accordingly.. Similarly for spoofed and MITM attacks - assume they WILL happen, and plan accordingly. Proper use of IPSec/OpenSSH/OpenSSL, with key/cert checking as appropriate, goes a LONG way to raising the bar WAY up on the attacker. Just don't forget about endpoint security - waay too many sites deploy OpenSSL so credit card info can't be sniffed, and then leave the suckers in plaintext on the web server. :)
On Saturday 17 January 2004 11:18 am, Scott McGrath wrote:
It is also possible to sniff a network using only the RX pair so most of the tools to detect cards in P mode will fail. The new Cisco 6548's have TDR functionality so you could detect unauthorized connections by their physical characteristics.
But there are also tools like ettercap which exploit weaknesses within switched networks. See http://ettercap.sourceforge.net/ for more details (and gain some add'l grey hairs in the process).
The question here is what are you trying to defend against?.
Maybe this is just a stupid comment, but if the original poster is that concerned with their LAN being sniffed, then maybe they should consider using IPSec on their LAN. -- Donovan Hill Electronics Engineering Technologist, CCNA www.lazyeyez.net, www.gwsn.com
It is also possible to sniff a network using only the RX pair so most of the tools to detect cards in P mode will fail. The new Cisco 6548's have TDR functionality so you could detect unauthorized connections by their physical characteristics.
But there are also tools like ettercap which exploit weaknesses within switched networks. See http://ettercap.sourceforge.net/ for more details (and gain some add'l grey hairs in the process).
The question here is what are you trying to defend against?.
Maybe this is just a stupid comment, but if the original poster is that concerned with their LAN being sniffed, then maybe they should consider using IPSec on their LAN.
I read the ettercap service description, and still don't see how a rogue machine gets around this: Switched network of multiple switches, servers on each port have a hardcoded MAC on the switch port. (Ports will not work if the MAC is different than the one described). This prevents MAC flood and MAC poisoning. If you use VLAN to your router and give each server a /30 or /29 that you route its IPs down towards it, your router will only talk to each server in the IP block that has been described by the subnet mask. I know most people don't take the time to hard code their MACs onto their switch ports, but it really only takes a few seconds per switch with a little cutting & pasting -- as customer switches a network port, they just need to open a ticket to have the address changed. Am I missing something? Thanks, DJ
DJ> Date: Sat, 17 Jan 2004 14:57:19 -0500 DJ> From: Deepak Jain DJ> I know most people don't take the time to hard code their DJ> MACs onto their switch ports, but it really only takes a few DJ> seconds per switch with a little cutting & pasting -- as DJ> customer switches a network port, they just need to open a DJ> ticket to have the address changed. In the same vein, hardcoded router ARP entries in router configs also help. Yes, spoofed gratuitous ARP packets are detectable, but they can still cause trouble. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
On Sat, 17 Jan 2004, Scott McGrath wrote:
The question here is what are you trying to defend against?.
If that question was directed at me, I am just checking to make sure nothing is new on the packet sniffing / detecting scene that I haven't heard about. It also seemed to me to have been a long time since the subject of detecting packet sniffers was brought up. (not just on NANOG) I know there are ways to get around being detected, but I'm just trying to make sure I'm doing my best to catch the less than professional sniffers on my networks. Gerald
That's what I assumed but I asked the question anyhow just to confirm my assumption(s). Scott C. McGrath On Mon, 19 Jan 2004, Gerald wrote:
On Sat, 17 Jan 2004, Scott McGrath wrote:
The question here is what are you trying to defend against?.
If that question was directed at me, I am just checking to make sure nothing is new on the packet sniffing / detecting scene that I haven't heard about. It also seemed to me to have been a long time since the subject of detecting packet sniffers was brought up. (not just on NANOG)
I know there are ways to get around being detected, but I'm just trying to make sure I'm doing my best to catch the less than professional sniffers on my networks.
Gerald
On Sat, 17 Jan 2004, Sam Stickland wrote:
In an all switched network, sniffing can normally only be accomplished with MAC address spoofing (Man In The Middle). Watching for MAC address changes (from every machines perspective), along with scanning for seperate machines with the same ARP address, and using switches that can detect when a MAC address moves between ports will go a long way towards detecting sniffing.
My machines all scream bloody murder when an IP address has more than one MAC or even if the IP changes MAC addresses. One of the suggestions mailed to me off list: http://sniffdet.sourceforge.net/ I haven't looked in to it yet, but figured I would keep all of the suggestions in public view. Gerald
On Fri, 16 Jan 2004, Gerald wrote:
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic?
I should probably mention that I've already started looking at antisniff. I was hoping to find something that was currently maintained and still free while I investigate antisniff's capabilities. Or if there is more than one commercial one best bang for buck suggestions. Thanks to those who pointed it out to me again though. Gerald
On Fri, 2004-01-16 at 18:00, Gerald wrote:
I should probably mention that I've already started looking at antisniff. I was hoping to find something that was currently maintained and still free while I investigate antisniff's capabilities.
Antisniff is still the best software based tool for the job. It has far more extensive testing that anything else I've looked at. Of course the one blind spot with antisniff is that it can only detect sniffers that have an IP address assigned to them. To detect these you have to look at your switch statistics. Dead giveaway is a host receiving traffic, but never transmitting. There is a false positive for this condition however which is a hub plugged in the switch with no hosts attached. HTH, C
Since all sniffers I know of are passive devices, there really shouldn't be a way to track one down. From a Cisco standpoint, if I were mirroring a port, and had a sniffer mirroring the sniffer port, I would see traffic of a unicast nature with multiple unicast MAC destinations destined at a swithport with only one MAC address cached. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Gerald Sent: Friday, January 16, 2004 5:35 PM To: nanog@merit.edu Subject: sniffer/promisc detector Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? Gerald
That is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of "don't know where to send the packet, send it to all ports, forget where to send packets every minute" is the weak point. There are some common mistakes that sniffing kits do, that can be used to detect them (I think antisniff implements them all), but a better approach is to make to promisc mode of no gain unless the attacker compromises the switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant way of making a switched network more secure. Rubens ----- Original Message ----- From: "Gerald" <gcoon@inch.com> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detector
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic?
Gerald
The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so many false information (and track it's usage) that hackers will be catched before they do something really wrong. Who do not know - look onto the standard, cage like, mouse - trap with a piece of cheese inside. -:) ----- Original Message ----- From: "Rubens Kuhl Jr." <rubens@email.com> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 3:18 PM Subject: Re: sniffer/promisc detector
That is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of "don't know where to send the packet, send it to all ports, forget where to send packets every minute" is the weak point. There are some common mistakes that sniffing kits do, that can be used to detect them (I think antisniff implements them all), but a better approach is to make to promisc mode of no gain unless the attacker compromises the switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant way
of
making a switched network more secure.
Rubens
----- Original Message ----- From: "Gerald" <gcoon@inch.com> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detector
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode
or
sniffing traffic?
Gerald
I think I'll pass this onto zen of Rob T. :) i think he said something along the lines of "security industry is here for my amusement" in the last nanog. so yea.. let's install bunch of honeypots and hope all those "stupid" "hackers" will get caught like the mouse. by the time you think your enemy is less capable than you, you've already lost the war. -J On Sat, Jan 17, 2004 at 02:31:06AM -0800, Alexei Roudnev wrote:
The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so many false information (and track it's usage) that hackers will be catched before they do something really wrong.
Who do not know - look onto the standard, cage like, mouse - trap with a piece of cheese inside. -:)
----- Original Message ----- From: "Rubens Kuhl Jr." <rubens@email.com> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 3:18 PM Subject: Re: sniffer/promisc detector
That is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of "don't know where to send the packet, send it to all ports, forget where to send packets every minute" is the weak point. There are some common mistakes that sniffing kits do, that can be used to detect them (I think antisniff implements them all), but a better approach is to make to promisc mode of no gain unless the attacker compromises the switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant way
of
making a switched network more secure.
Rubens
----- Original Message ----- From: "Gerald" <gcoon@inch.com> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detector
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode
or
sniffing traffic?
Gerald
-- James Jun (formerly Haesu) TowardEX Technologies, Inc. 1740 Massachusetts Ave. Boxborough, MA 01719 Consulting, IPv4 & IPv6 colocation, web hosting, network design & implementation http://www.towardex.com | james@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | AIM: GigabitEthernet0 NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE
On Sat, 17 Jan 2004 12:55:17 EST, haesu@towardex.com said:
by the time you think your enemy is less capable than you, you've already lost the war.
On the other hand, does the fact that police usually only catch the stupid crooks mean that police forces are a bad idea? 1) How often is your site graced by the presence of a script kiddie who *would* fall for a honeypot, but who has enough exploits stashed to be a serious threat? (Remember, it only takes 1 unpatched 1U back there in row 17, rack 4, for him to get a foothold). 2) How often is your site visited by a talented Black Hat who's more capable than you, and who wouldn't be tricked by a honeypot? 3) How do you even know your answer to (2) is correct? Think long and hard about this one - when was the last time you took *everything* down and booted from known good media and checked for rootkits? And how do you know it was good media? (Go and re-read Ken Thompson's "On Trusting Trust" and Karger and Schell's paper on a Multics pen-test, and then take another REALLY close look at that boot CD.) I tend toward paranoia. However, I once received a box claiming to be from IBM Software Distribution, with the format of shipping labels that IBM SD had, and even sealed with IBM anti-tamper Q-tape the same way IBM SD does. There was a birthday card in it. Addressed to me. From a friend who wasn't an IBM employee at the time. I was most impressed. ;)
I think I'll pass this onto zen of Rob T. :)
i think he said something along the lines of "security industry is here for my amusement" in the last nanog.
so yea.. let's install bunch of honeypots and hope all those "stupid" "hackers" will get caught like the mouse.
by the time you think your enemy is less capable than you, you've already lost the war.
-J
On Sat, Jan 17, 2004 at 02:31:06AM -0800, Alexei Roudnev wrote:
The best anty-sniffer is HoneyPot (it is a method, not a tool). Create
so
many false information (and track it's usage) that hackers will be catched before they do something really wrong.
Who do not know - look onto the standard, cage like, mouse - trap with a piece of cheese inside. -:)
----- Original Message ----- From: "Rubens Kuhl Jr." <rubens@email.com> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 3:18 PM Subject: Re: sniffer/promisc detector
That is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of "don't know where to send the packet, send it to all
forget where to send packets every minute" is the weak point. There are some common mistakes that sniffing kits do, that can be used to detect them (I think antisniff implements them all), but a better approach is to make to promisc mode of no gain unless the attacker compromises
Sorry, but this _honeypot etc_ is _the only_ reliable defence. And, when I mean honey pot, I do not mean _install ols linux with qpopper and wait_. I mean that, if trhere is concern about sniffering a network (which is a little strange, because it is not much use in sniffering switched network_, this means concern about leaking information. Usually, you do not get much from sniffering - you can not sniff SSL, can not sniff Win2K rdesktop, can not sniff 'ssh'. But you can sniff, for example, keyboard input (and the only protecting agaist such things is SecireID etc), can try to get some passwords and so on. So, having frauded account, even frauded computer, exposing this account into the network, and tracking any attempt to use it is a very effective line of defense. I told already - _do not trust to the smart books about security too much_, they misinterpret many things. For example, they treat _non standard port assigments_ as a very ineffective, while in real life such simple (0 cost) thing decrease a chance of breakage 10 - 1000 times (we investigated 3 month logs and found, that no one in the whole Internet scans wide range of ports, and no one in real life uses tools, reporting _real_ protocols, because they are dramatically slow and so useless). The same here - having frauded, 'labeled', information is a very effective 'complimentary' defense - it let you know, when thing got really wrong, when you have not other indications. And it have 0% of false positives (if this account is never used and someone opened it, he is 100% a hacker or intruder. No any other methods provides you 0 false positives). PS. Even if you are listening to MAC broadcasts, you got much more than you expect. In one poiint, we found , that we had all traffic to one of the servers 'broadcasted', reason was complicated - ARP timeout longer than CAM timeout + nonsimmetrical traffic . You have not any method to detect a passive sniffer (except a few tricks, which can work with particular OS but do not work with other systems), have not a good method to detect keyboard sniffer. So, if you are very serious about security, you must use active defence. ----- Original Message ----- From: <haesu@towardex.com> To: "Alexei Roudnev" <alex@relcom.net> Cc: "Rubens Kuhl Jr." <rubens@email.com>; <nanog@merit.edu> Sent: Saturday, January 17, 2004 9:55 AM Subject: Re: sniffer/promisc detector ports, the
switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant way of making a switched network more secure.
Rubens
----- Original Message ----- From: "Gerald" <gcoon@inch.com> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detector
Subject says it all. Someone asked the other day here for sniffers.
Any
progress or suggestions for programs that detect cards in promisc mode or sniffing traffic?
Gerald
-- James Jun (formerly Haesu) TowardEX Technologies, Inc. 1740 Massachusetts Ave. Boxborough, MA 01719 Consulting, IPv4 & IPv6 colocation, web hosting, network design & implementation http://www.towardex.com | james@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | AIM: GigabitEthernet0 NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE
Criminal hackers _are_ stupid (like most criminals) for purely economical reasons: those who are smart can make more money in various legal ways, like by holding a good job or running their own business. Hacking into other people's computers does not pay well (if at all). Those who aren't in that for money are either psychopaths or adolescents, pure and simple. Neither of those are smart. The real smart ones - professionals - won't attack unless there's a chance of a serious payback. This excludes most businesses, and makes anything but a well-known script-based attack a very remote possibility. Honeypots are indeed a good technique to catch those attacks, and may be quite adequate for the probable threat model for most people. Of course, if you're doing security for a bank, or a nuclear plant, then you may want to adjust your expectations of adversary's motivation and capabilities and upgrade your defenses accordingly. But, then, bribing an insider or some other form of social engineering is going to be more likely than any direct network-based attack. For most other people a trivial packet-filtering firewall, lack of Windoze, and a switch instead of a hub will do just fine. --vadim On Sat, 17 Jan 2004 haesu@towardex.com wrote:
I think I'll pass this onto zen of Rob T. :)
i think he said something along the lines of "security industry is here for my amusement" in the last nanog.
so yea.. let's install bunch of honeypots and hope all those "stupid" "hackers" will get caught like the mouse.
by the time you think your enemy is less capable than you, you've already lost the war.
-J
On Sat, Jan 17, 2004 at 02:31:06AM -0800, Alexei Roudnev wrote:
The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so many false information (and track it's usage) that hackers will be catched before they do something really wrong.
let's be careful out there:
Criminal hackers _are_ stupid (like most criminals) for purely economical reasons: those who are smart can make more money in various legal ways, like by holding a good job or running their own business. Hacking into other people's computers does not pay well (if at all).
that depends on how you look at "hacking in". if bypassing spam filters and writing files (mail messages) on someone else's computer (inbox) is a form of "hacking in", then unfortunately it pays pretty well. if writing and propagating worms that create open proxies inside other people's computers so that you or others can use them to bypass spam filters is a form of "hacking in" then this too seems to pay pretty well these days.
Those who aren't in that for money are either psychopaths or adolescents, pure and simple. Neither of those are smart.
i wish you were right. i wish you were even close to right. but we've been attacked many times over the years by some extremely smart adolescent psychopaths -- where adolescence is a state of mind in this case, rather than of years -- and i wish very much that they would either stop being so smart, or stop being so psychotic, or stop being so adolescent.
The real smart ones - professionals - won't attack unless there's a chance of a serious payback. This excludes most businesses, and makes anything but a well-known script-based attack a very remote possibility.
that's just not so. ask me about it in person and i might tell you stories.
For most other people a trivial packet-filtering firewall, lack of Windoze, and a switch instead of a hub will do just fine.
this part, i agree with. -- Paul Vixie
i wish you were right. i wish you were even close to right. but we've
been
attacked many times over the years by some extremely smart adolescent psychopaths -- where adolescence is a state of mind in this case, rather than of years -- and i wish very much that they would either stop being so smart, or stop being so psychotic, or stop being so adolescent.
Hmm. It depends of, what is _attack_. For example, if I have old, unpatched sshd daemon (which is easy to hack), but run it at port 30022, how long do I need to expose it on Internet to be hacked? (Answer - you will never be hacked, if you use nonstandard port, except if you attracks someone by name, such as _SSH-DAEMOn.Rich-Bank-Of-America.Com_. Yes, all mass attacks are doing by the damb hackers. All smart attacks was doing only because there was some, very attractive, purpose for this attack, known _out if band_. But I mentioned another thing. If (if) you have a real concern about information leakage, attack, etc, do not wait until it happen, but create false information, leak it and track it's usage. If you got scam message _I am paypal. Yopu are expired. Please, send us your credit cand and pin code_, do not ignore it - send some numbers _like real__ and track, who and how will try to use them., Etc etc. This is 'honeypot' - to make a picture of the bear, do not roam the whole forest, bring a honey, expose it to the bears and wait... PS. Sniffer... there are not any way to detect sniffer in the non-switched network, and there is not much use for sniffer in switched network, if this network is configured properly and is watched for the unusial events.
The real smart ones - professionals - won't attack unless there's a
chance
of a serious payback. This excludes most businesses, and makes anything but a well-known script-based attack a very remote possibility.
that's just not so. ask me about it in person and i might tell you stories.
For most other people a trivial packet-filtering firewall, lack of Windoze, and a switch instead of a hub will do just fine.
this part, i agree with. -- Paul Vixie
i wish you were right. i wish you were even close to right. but we've been attacked many times over the years by some extremely smart adolescent psychopaths -- where adolescence is a state of mind in this case, rather than of years -- and i wish very much that they would either stop being so smart, or stop being so psychotic, or stop being so adolescent.
Hmm.
It depends of, what is _attack_. For example, if I have old, unpatched sshd daemon (which is easy to hack), but run it at port 30022, how long do I need to expose it on Internet to be hacked? (Answer - you will never be hacked, if you use nonstandard port, except if you attracks someone by name, such as _SSH-DAEMOn.Rich-Bank-Of-America.Com_.
Uhm, that would be wrong. This is simply "security through obscurity". Go grab nessus (www.nessus.org), modify the code a bit, and I guarantee you that your ssh daemon running on a non-standard port can still be found, identified, and exploited. Trivial. -b
On Mon, 19 Jan 2004 23:26:30 MST, Brett Watson <brett@the-watsons.org> said:
hacked? (Answer - you will never be hacked, if you use nonstandard port, except if you attracks someone by name, such as _SSH-DAEMOn.Rich-Bank-Of-America.Com_.
Go grab nessus (www.nessus.org), modify the code a bit, and I guarantee you that your ssh daemon running on a non-standard port can still be found, identified, and exploited. Trivial.
Alexei's point is that *yes*, things like Nessus *will* find a relocated SSH - but that if you're getting Nessus scanned, somebody has painted a bullseye target on YOUR site, not "any site vulnerable to <exploit du jour>". The people looking for "any vulnerable site" will just go SSH-scanning on port 22 and be done with it, since it's simply NOT PRODUCTIVE to do an exhaustive test of each machine. One probe at port 22 will probably go under the radar, scanning all 65K ports is sure to peeve somebody off....
Uhm, that would be wrong. This is simply "security through obscurity".
Yes, it is wrong for the _smart books_. But it works in real life. Of course, it should not be the last line of defense; but it works as a first line very effectively. If I rate safety as a number (10 is the best, 0 is the worst): - unpatched sshd on port 22 - safety is zero (will be hacked by automated script in a few weeks) - patched sshd on port 22 - safety is 5 (even patched sshd have a bugs, and I do not know, what happen first - I patch next bug or hacker's script find this sshd and hack it) - unpatched sshd on port 30013 - safety is 7 (higher) because no one automated script can find it, and no one manual scan find it in reality - patched sshd on port 30013 - safety is 9 - turn off power - safety is 10. Secure system, is a dark system. (I did not rated firewalls etc).
Go grab nessus (www.nessus.org), modify the code a bit, and I guarantee
you Yes, correct. Do it. Measure scan time, and you will be surprised. Open old logs, and you will found, that such things are not used, they are absolutely not effective for any wide scanning. And they are very easy to detect by IDS systems (it is useless to detect port 22 scan - every hacker is doing it). Scan 65000 ports by T1 link, using 'nessus', and see the time and traffic. It can be used by insider on 100,000 Mbit network only, and (just again) such scan will be 100% catched by any IDS.
that your ssh daemon running on a non-standard port can still be found, identified, and exploited. Trivial.
Can != WILL. It WILL NOT. And it is FIRST line of defense. But this line decreases attacks level at 10,000 times, And it costs 0 (zero). Do not read _smart books_ without some thinking. (There are many cases, where it is impossible. But if it is possible, use it). Second line of defense is patched system, host IDS etc etc - standard security. It shuld not be the first line. And it should not be the last line. Last line of defense is HoneyPot. PS. I worked as a RU-CERT expert, make a traps, found and told with hackers, investigated many cases, so I have some background. And, of course, I know _smart books theory_.
-b
In message <054c01c3df79$6049c4f0$6401a8c0@alexh>, "Alexei Roudnev" writes:
Uhm, that would be wrong. This is simply "security through obscurity".
Yes, it is wrong for the _smart books_. But it works in real life. Of course, it should not be the last line of defense; but it works as a first line very effectively.
Precisely. Don't count on security through obscurity -- there are targeted attacks, if nothing else -- but *after* you've taken all due precautions against a knowledgeable adversary, throwing in some obscurity can help, too. (Want a worked example? Ask the NSA to publish the algorithm for one of their top secret encryption algorithms...) But there's another major caveat: this sort of obscurity doesn't scale very well. It's fine to put ssh on another port if you have a relatively small community of reasonably sophisticated users who can cope, or if you can hand out canned configurations to less sophisticated users. But you couldn't easily put SMTP elsewhere, or no one could find you. You'd also have support problems with your user base if you tried doing that as an anti-relay technique. Obscurity works in small, closed communities. Beyond that, operational considerations can kill you. --Steve Bellovin, http://www.research.att.com/~smb
PS. Sniffer... there are not any way to detect sniffer in the non-switched network, and there is not much use for sniffer in switched network, if this network is configured properly and is watched for the unusial events.
depends on brand and model of switch $ portinstall dsniff $ man macof -J (and yes, the thread topic is about ways for _watching_ "the unusual events" aka sniffing)
The real smart ones - professionals - won't attack unless there's a
chance
of a serious payback. This excludes most businesses, and makes anything but a well-known script-based attack a very remote possibility.
that's just not so. ask me about it in person and i might tell you stories.
For most other people a trivial packet-filtering firewall, lack of Windoze, and a switch instead of a hub will do just fine.
this part, i agree with. -- Paul Vixie
-- James Jun (formerly Haesu) TowardEX Technologies, Inc. 1740 Massachusetts Ave. Boxborough, MA 01719 Consulting, IPv4 & IPv6 colocation, web hosting, network design & implementation http://www.towardex.com | james@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | AIM: GigabitEthernet0 NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE
Thus spake Gerald (gcoon@inch.com) [16/01/04 18:32]:
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic?
There's an art to detecting promiscuous devices.[1] A good starting point is Google, and the phrase 'promiscuous detect'. IIRC, L0pht once produced something that claimed to detect all promiscuous devices on a network, I never got it to work properly. - Damian [1] general consensus is that most well-written OSes are near impossible to detect, some older ones have various methods of detection, usually involving either broadcast traffic or timing.
participants (19)
-
Alexei Roudnev
-
Brett Watson
-
Chris Brenton
-
Damian Gerow
-
Deepak Jain
-
Donovan Hill
-
E.B. Dreger
-
Gerald
-
haesu@towardex.com
-
Joel Jaeggli
-
Laurence F. Sheldon, Jr.
-
Paul Vixie
-
Rubens Kuhl Jr.
-
Sam Stickland
-
Scott McGrath
-
Steven M. Bellovin
-
Vadim Antonov
-
Valdis.Kletnieks@vt.edu
-
Wojtek Zlobicki