Countermeasures

Previous page
Table of content
Next page

Countermeasures

There are countermeasures to sniffing.

Antisniff

The first countermeasure is a package called antisniff, developed by Dr. Mudge of the L0pht. It's available from http://www.securitysoftwaretech.com/antisniff/dist/anti_sniff_researchv1-1-2.tar.gz . It's very effective at finding sniffing machines, and it uses several tests to detect them. First, it exploits a Linux kernel flaw to see if the network card is in promiscuous mode. Then it runs several other operating-system-specific tests. Then it gets really clever. It pings every computer on the network to see how fast each responds. Then it constructs a conversation between two nonexistent Mac addresses, and then it sends out lots of packets. Then it pings every computer again. All of the computers that are in nonpromiscuous mode are ignoring all this bogus traffic ”which means they respond just as quickly as they did the first time. The sniffing station, however, is busy processing all this bogus data, so its response will be slower than it was the first time. Antisniff is very effective, but it's not foolproof. There are sniffers that will evade it. Regardless of this, it's a useful tool.

It is, however, a bit arcane. It's relatively self-explanatory to compile and run, and it has a handful of options. But after compiling it on my kernel-2.4.0 machine, I couldn't get it to detect a sniffer on another machine on my network. It apparently has limited utility on kernel-2.4 machines, or I'm simply an idiot. It's hard to say. Either of these things may be fixed in the future, but since the L0pht has sold this code to securitysoftwaretech.com (and I'm relatively uneducable), they may not.

Depth in Defense

The next countermeasure is eliminating clear-text protocols. Replace Telnet and RCP (Unix Remote Copy) with OpenSSH (see Chapter 14 ). OpenSSH never actually sends passwords in the clear, and it encrypts every packet. It's not unbreakable , but it will keep pretty much any nongovernmental agency from sniffing your Telnet sessions. SCP (secure copy) is SSH's remote copy program. None of my machines use FTP anymore ”they use SCP instead. It's a little more difficult to use, but again it keeps me from passing things in the clear, which is good. OpenSSH is available from http://www.openssh.org/ .

You could also try one-time passwords, but don't. Users will hate them.

An in-depth defense is the only real defense. Just as the Soviet Army broke the back of the Nazi German assault by using a 3-mile-deep defense at Stalingrad, you can stave off crackers by securing each machine to the utmost. Turn off services you aren't using. See Jose Nazario's presentation at http://cwrulug.cwru.edu/talks/security/index.html . See the Linux security HOWTO at http://www.linuxdoc.org/HOWTO/Security-HOWTO.html .

 


Previous page
Table of content
Next page
Multitool Linux. Practical Uses for Open Source Software
Multitool Linux: Practical Uses for Open Source Software
ISBN: 0201734206
EAN: 2147483647
Year: 2002
Pages: 257
Authors: Michael Schwarz, Jeremy Anderson, Peter Curtis, Steven Murphy
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
Image Processing with LabVIEW and IMAQ Vision
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy