Promiscuous Mode Detection Platform

Hamza Rahmani

2004

Abstract

Among various types of attacks on an Ethernet network, “sniffing attack” is probably one of the most difficult attacks to handle. Sniffers are programs that allow a host to capture any packets in an Ethernet network, by putting the host’s Network Interface Card (NIC) into the promiscuous mode. When a host’s NIC is in the normal mode, it captures only the packets sent to the host. Since many basic services, such as FTP, Telnet and SMTP, send passwords and data in clear text in the packets, sniffers can be used by hackers to capture passwords and confidential data. A number of anti-sniffers have been developed, such as PMD [18], PromiScan [17] and L0pht AntiSniff [19]. An anti-sniffer is a program that tries to detect the hosts running sniffers, in a Local Area Network (LAN). Current anti-sniffers are mainly based on three detection techniques, namely: the ARP detection, the DNS detection, and the RTT (Round Trip Time) detection techniques [13 and 16]. However, sniffers are becoming very advanced so that anti-sniffers are unable to detect them. The main drawback of these detection techniques is that they rely on the ARP, ICMP and/or DNS reply messages generated by the sniffing hosts. Therefore, in order to stay undetectable by anti-sniffers, advanced sniffers do not generate such reply messages while sniffing. This paper discusses an anti-sniffer based on a new detection technique. The technique uses mainly ARP cache poisoning attack to detect sniffing hosts in an Ethernet network. The technique is implemented in a tool, called SupCom anti-sniffer, which automatically gives system administrator a better helping hand regarding the detection of sniffers. Four anti-sniffers, PMD [18], PromiScan [17], L0pht AntiSniff [19] and SupCom anti-sniffer, are tested and the evaluation results show that SupCom anti-sniffer succeeded to detect more sniffing hosts than the other anti-sniffers.

References

  1. UDDI Version 3.0.1 - UDDI Spec Technical Committee Specification 14 October 2003. See http://uddi.org/pubs/uddi-v3.0.1-20031014.htm
  2. Decryption Transform for XML Signature - W3C Recommendation 10 December 2002. See http://www.w3.org/TR/2002/REC-xmlenc-decrypt-20021210
  3. XMLDsig. XML-Signature Syntax and Processing- W3C Recommendation 12 February 2002. See http://www.w3.org/TR/xmldsig-core/
  4. RBAC. Role-based Access Control - Draft 4 April 2003. See http://csrc.nist.gov/rbac/rbacstd-ncits.pdf
  5. Adams, C. and S. Boeyen (2002) UDDI and WSDL Extensions for Web Services: a security framework. Proceedings of the ACM Workshop on XML Security. Fairfax, VA, USA.
  6. Liberty Alliance Project. Introduction to the Liberty Alliance Identity Architecture. See http://www.projectliberty.org/resources/whitepapers/LAP%20Identity%20Architecture%20 Whitepaper%20Final.pdf
  7. WSAS. Web Services Architecture Specification - WC3 Working Draft 8 August 2003. See http://www.w3.org/TR/2003/WD-ws-arch-20030808/
  8. Box, D. (2002) Understanding GXA. See http://msdn.microsoft.com/library/default.asp?url=/library/enus/dngxa/html/gloxmlws500.asp
  9. Casati, F., E. Shan, U. Dayal and M.-C. Shan (2003) Business-Oriented Management of Web Services. Communications of the ACM, Vol. 46, Nº 10, October 2003, pp. 25-28.
  10. IBM and Microsoft. Web Services Framework. See http://www.w3.org/2001/03/WSWSpopa/paper51
  11. SAML. Assertions and Protocol for the OASIS 2 Security Assertion Markup Language 3 (SAML) V1.1. See http://www.oasis-open.org/committees/download.php/3406/oasis-sstcsaml-core-1.1.pdf
  12. Geuer-Pollmann, C. (2002) XML Pool Encryption. Proceedings of the Workshop on XML Security. Fairfax, VA: ACM Press.
  13. Harman, B., D.J. Flinn, K. Beznosov and S. Kawamoto (2003) Mastering Web Services Security. Wiley.
  14. IBM and Microsoft. Security in a Web Services World: A Proposed Architecture and Roadmap - technical whitepaper 7 April 2002. See http://msdn.microsoft.com/ws-security/
  15. XMLEnc. XML Encryption Syntax and Processing - W3C Recommendation 10 December 2002. See http://www.w3.org/TR/xmlenc-core/
  16. WSDL. Web Services Description Language (WSDL) 1.1 - W3C Note 15 March 2001. See http://www.w3.org/TR/wsdl
  17. Robert McMillan. IDC: Web services to enable $4.3B hardware market by 2007. IDG News Service (2003).See http://www.computerworld.com/hardwaretopics/hardware/story/0,10801,81496,00.html
  18. O'Neill, M., P. Hallam-Baker, S.M. Cann, M. Shema, E. Simon, P.A. Watters and A. White (2003) Web Services Security. McGraw-Hill.
  19. Papazoglou, M.P. and D. Georgakopoulo (2003) Service-Oriented Computing. Communications of the ACM, Vol. 46, Nº 10, October 2003, pp. 25-28.
  20. SOAP. SOAP Version 1.2 Part 0: Primer. See http://www.w3.org/TR/2003/REC-soap12- part0-20030624/
  21. WS-Security. Web Services Security (WS-Security) - Specification 5 April 2002. See http://www-106.ibm.com/developerworks/webservices/library/ws-secure
  22. XKMS. XML Key Management Specification (XKMS) - W3C Note 30 March 2001. See http://www.w3.org/TR/xkms/
  23. WS-Security Profile for XML-based Tokens - Specification 28 August 2002. See http://www-106.ibm.com/developerworks/webservices/library/ws-sectoken.html
  24. W3C Extensible Markup Language (XML) 1.1 - W3C Recommendation 04 February 2004 (2004). See http://www.w3.org/TR/xml11
Download


Paper Citation


in Harvard Style

Rahmani H. (2004). Promiscuous Mode Detection Platform . In Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004) ISBN 972-8865-07-4, pages 293-304. DOI: 10.5220/0002684602930304


in Bibtex Style

@conference{wosis04,
author={Hamza Rahmani},
title={Promiscuous Mode Detection Platform},
booktitle={Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004)},
year={2004},
pages={293-304},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002684602930304},
isbn={972-8865-07-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004)
TI - Promiscuous Mode Detection Platform
SN - 972-8865-07-4
AU - Rahmani H.
PY - 2004
SP - 293
EP - 304
DO - 10.5220/0002684602930304