140 likes | 276 Views
Sniffing the sniffers - detecting passive protocol analysers. John Baldock, Intel Corp Craig Duffy, Bristol UWE. What is Passive Protocol Analysis?. Also known as sniffing Assumed TCP/IP V4 broadcast networks Easy connection into network MAC card into promiscuous mode
E N D
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE
What is Passive Protocol Analysis? • Also known as sniffing • Assumed TCP/IP V4 broadcast networks • Easy connection into network • MAC card into promiscuous mode • Monitor traffic for certain ports ie 21 (ftp) • Look for certain packets ie with SYN bit set
Why is so difficult to detect sniffers? • The attack is essentially passive • They don’t generate unusual traffic • They are normally linked to active intrusion attacks • Only requires a standard machine • Threat is always seen as external • Though it rarely is – 80% are internal!
Root Password sniffer Period Compromises Found 1995 Q1 3 1 1995 Q2 2 0 1995 Q3 11 4 1995 Q4 10 2 1996 Q1 5 3 1996 Q2 10 4 1996 Q3 6 2 1996 Q4 11 5 1997 Q1 5 2 Total 63 23 Janet network security compromises
Some tests for sniffers • IMCP echo response • DNS Lookup • ICMP echo response latency • Fake user and & password • Unrecognised MAC address
Future developments • We are creating • Test to profile machines on a network using sampling • Use of control machine • Expert systems to filter data
What is to be done? #1 • Fixes at topology and switching level • Change from broadcast to switched networks • Use of ‘intelligent’ hubs • Fix ports to MAC addresses • Implement reflexive filtering
What is to be done? #2 • Fixes at protocol level • Encrypt everything! • Use SSH • One time passwords • VPNS • IPng/IPV6