One main factor that contributes to the high success rate of a persistent attack is the “low-and-slow” approach. Detecting passive attackers in a network is not the most exciting conversation in the security world. But it is an important one.
I recently came across a paper [1], although written quite a while ago, that discusses techniques that can be used to detect devices in promiscuous mode in a network (i.e. monitoring all network connections). This paper referenced heavily on the techniques used by AntiSniff, a tool developed by security group – L0pht Heavy Industries – more than a decade ago.
AntiSniff uses various non-intrusive tests to determine whether a machine is in promiscuous mode:
DNS test; and
Machine Latency test.
DNS Test
DNS test exploits the curiosity of an attacker. First, AntiSniff will send out a network packet destined to a bogus machine. Subsequently, if any device attempts to perform a DNS lookup on the bogus packet, a network packet sniffer might be in action on that device.
Machine Latency Test
An even simpler test is through the use of network performance baseline results. AntiSniff will send an ICMP echo requests to all devices in the network. It then compares each response with the baseline result. Device(s) that have a much higher latency time might be running in promiscuous mode.
References
Packet Sniffer Detection with AntiSniff, Ryan Spangler. May, 2003.
AntiSniff software allows you to turn the tables on packet sniffers, Dave Kearns. Aug, 1999.
Shared by Emil Tan, Skipper & Co-Founder, Div0.
Comments