Sniffing the sniffers - detecting passive protocol analysers

1
Sniffing the sniffers - detecting passive
protocol analysers

• John Baldock, Intel Corp
• Craig Duffy, Bristol UWE

2
What is Passive Protocol Analysis?

• Also known as sniffing
• Assumed TCP/IP V4 broadcast networks
• Easy connection into network
• MAC card into promiscuous mode
• Monitor traffic for certain ports ie 21 (ftp)
• Look for certain packets ie with SYN bit set

3
Why is so difficult to detect sniffers?

• The attack is essentially passive
• They dont generate unusual traffic
• They are normally linked to active intrusion
  attacks
• Only requires a standard machine
• Threat is always seen as external
• Though it rarely is 80 are internal!

4
Janet network security compromises
5
Some tests for sniffers

• IMCP echo response
• DNS Lookup
• ICMP echo response latency
• Fake user and password
• Unrecognised MAC address

6
ICMP Echo response test
7
ICMP Echo latency test
8
The ARP check test results
9
The check ping test results
10
The latency test results
11
Future developments

• We are creating
• Test to profile machines on a network using
  sampling
• Use of control machine
• Expert systems to filter data

12
What is to be done? 1

• Fixes at topology and switching level
• Change from broadcast to switched networks
• Use of intelligent hubs
• Fix ports to MAC addresses
• Implement reflexive filtering

13
What is to be done? 2

• Fixes at protocol level
• Encrypt everything!
• Use SSH
• One time passwords
• VPNS
• IPng/IPV6