What are Sniffers?
Sniffers are almost as old as the Internet itself. They are one of the first tools that allowed system administrators to
analyze their network and pinpoint where a problem is occurring. Unfortunately, crackers also run sniffers to spy on your network and steal various kinds of data. This paper discusses what a sniffer is, some of the more popular sniffers, and ways to protect your network against them. It also talks about a popular tool called Antisniff, which allows you to automatically detect sniffers running on your network.
What are Sniffers ?
In a non-switched network, Ethernet frames broadcast to all machines on the network, but only the computer that the packets are destined for will respond. All of the other machines on that network still see the packet, but if they are not the intended receiver, they will disregard it. When a computer is running sniffer software and it’s network interface is in promiscuous mode (where it listens for ALL traffic), then the computer has the ability to view all of the packets crossing the network.
If you are an Internet history buff and have been wondering where the term sniffer came from. Sniffer was a product that was originally sold by Network General. It became the market leader and people starting referring to all network
analyzers as “sniffers.” I guess these are the same people who gave the name Q-Tip to cotton swabs.
Who uses Sniffers ?
LAN/WAN administrators use sniffers to analyze network traffic and help determine where a problem is on the network. A security administrator could use multiple sniffers, strategically placed throughout their network, as an intrusion detection system. Sniffers are great for system administrators, but they are also one of the most common tools a hacker uses.
Crackers install sniffers to obtain usernames, passwords, credit card numbers, personal information, and other
information that could be damaging to you and your company if it turned up in the wrong hands. When they obtain this information, crackers will use the passwords to attack other Internet sites and they can even turn a profit from selling credit card numbers.
One of the most obvious ways of protecting your network against sniffers is not to let them get broken into in the first
place. If a cracker cannot gain access to your system, then there is no way for them to install a sniffer onto it. In a perfect world, we would be able to stop here. But since there are an unprecedented number of security holes found each month and most companies don’t have enough staff to fix these holes, then crackers are going to exploit vulnerabilities and install sniffers. Since crackers favor a central location where the majority of network traffic passes (i.e. Firewalls, proxies), then these are going to be their prime targets and should be watched closely. Some other possible “victims” where crackers like to install sniffers are next to servers where personal information can be seen (i.e. Webservers, SMTP servers).
A good way to protect your network against sniffers is to segment it as much as possible using Ethernet switches instead of regular hubs. Switches have the ability to segment your network traffic and prevent every system on the network from being able to “see” all packets. The drawback to this solution is cost. Switches are two to three times more expensive then hubs, but the trade-off is definitely worth it. Another option, which you can combine with a switched environment, is to use encryption. The sniffer still sees the traffic, but it is displayed as garbled data. Some drawbacks of using encryption are the speed and the chance of you using a weak encryption standard that can be easily broken. Almost all encryption will introduce delay into your network. Typically, the stronger the encryption, the slower the machines using it will communicate. System administrators and users have to compromise somewhere in the middle. Even though most system administrators would like to use the best encryption on the market, it is just not practical in a world where security is seen as a profit taker, not a profit maker. Hopefully the new encryption standard that should be out shortly, AES (Advanced Encryption Standard), will provide strong enough encryption and transparency to the user to make everybody happy.
Some form of encryption is better then no encryption at all. If a cracker is running a sniffer on your network and notices that all of the data that he (or she) is collecting is garbled, then most likely they will move on to another site that does not use encryption. But a paid or determined hacker is going to be able to break a weak encryption standard, so it is better to play it smart and provide the strongest encryption as long as it will not have everybody giving you dirty looks when you walk down the halls at work.
In 1999, our buddies at L0pht Heavy Industries released a product called Antisniff. This product attempts to scan your network and determine if a computer is running in promiscuous mode. This is a helpful tool because if a sniffer is detected on your network, then 9 times out of 10, the system has been compromised. This happened to the Computer Science Department at California State University – Stanislaus. Here is what they posted on their local website: “A sniffer program has been found running on the Computer Science network. Sniffer programs are used to capture passwords. In order to protect yourself please change your password. Do not use a word out of a dictionary, put a number on the end of a word or use proper names. Be inventive, use special characters and have 8 characters in your password.” I am sure there are hundreds of similar postings on internal websites throughout the world that don’t make it public as they have.
Antisniff also helps you find those system administrators who run a sniffer to find out what is wrong with their local
network, but forget to ask for authorization beforehand. If you need to run a sniffer, then you should get permission in writing. If your Security Administrator is running Antisniff, then there is a good chance they will find it and you will have to explain why you are running a sniffer without authorization. Hopefully your security policy has a section on sniffers and will provide some guidance if you need to run a sniffer.
At the time of this writing, Antisniff version 1.021 is the current release. There is a nice GUI available for Windows
95/98/and NT machines. A command line version is also available for Solaris, OpenBSD, and Linux. This version of Antisniff only works in a “flat non-switched” environment. If your network is designed with routers and switches, then Antisniff does not have the same functionality as in a non-switched environment. You can only use it on local networks that do not cross a router or switch. According to Lopht’s website, the next major release of Antisniff will have the ability to figure out if a computer is running in promiscuous mode over routers and switches. The next release of Antisniff should definitely be more beneficial to system administrators because the price of switches are coming down and most companies are upgrading to switches to obtain 100/Full Mbps speeds. Even though you have a totally switched environment, you are still not out of the water. There are still firewalls, proxies, webservers, ftp servers, etc. where crackers still have the ability to install a sniffer and capture data locally. The only difference is, you have taken away their ability to capture data over the network.
Antisniff can also be used by blackhats to find intrusion detection systems. If they know where your intrusion detection systems are, then they can become stealth attackers, causing you much pain because you just spend $150,000 on a new intrusion detection system and they found a way to bypass it.