Promiscuous Mode Detection Platform

Zouheir Trabelsi, Hamza Rahmani

Abstract

Among various types of attacks on an Ethernet network, “sniffing attack” is probably one of the most difficult attacks to handle. Sniffers are programs that allow a host to capture any packets in an Ethernet network, by putting the host’s Network Interface Card (NIC) into the promiscuous mode. When a host’s NIC is in the normal mode, it captures only the packets sent to the host. Since many basic services, such as FTP, Telnet and SMTP, send passwords and data in clear text in the packets, sniffers can be used by hackers to capture passwords and confidential data. A number of anti-sniffers have been developed, such as PMD [18], PromiScan [17] and L0pht AntiSniff [19]. An anti-sniffer is a program that tries to detect the hosts running sniffers, in a Local Area Network (LAN). Current anti-sniffers are mainly based on three detection techniques, namely: the ARP detection, the DNS detection, and the RTT (Round Trip Time) detection techniques [13 and 16]. However, sniffers are becoming very advanced so that anti-sniffers are unable to detect them. The main drawback of these detection techniques is that they rely on the ARP, ICMP and/or DNS reply messages generated by the sniffing hosts. Therefore, in order to stay undetectable by anti-sniffers, advanced sniffers do not generate such reply messages while sniffing. This paper discusses an anti-sniffer based on a new detection technique. The technique uses mainly ARP cache poisoning attack to detect sniffing hosts in an Ethernet network. The technique is implemented in a tool, called SupCom anti-sniffer, which automatically gives system administrator a better helping hand regarding the detection of sniffers. Four anti-sniffers, PMD [18], PromiScan [17], L0pht AntiSniff [19] and SupCom anti-sniffer, are tested and the evaluation results show that SupCom anti-sniffer succeeded to detect more sniffing hosts than the other anti-sniffers.

References

  1. Freedman, Pisani, Purves and Adhikari, “Statistics - Second Edition”, W.W. Norton & Company, Inc. 1991.
  2. Grundshober, S. “Sniffer Detector Report”, Global Security Analysis Lab., Zurich Research Laboratory, IBM Research Division, June 1998.
  3. Hornig, C., “A Standard for the Transmission of IP Datagrams over Ethernet Networks”, RFC-894, Symbolics Cambridge Research Center, April 1984.
  4. Plummer, David C., “An Ethernet Address Resolution Protocol-Converting Network Protocol to 48 bit Ethernet Address for Transmission on Ethernet Hardware”, RFC-826, November 1982.
  5. Postel, J., “Internet Protocol”, RFC-791, USC/Information Science Institute, 1981.
  6. Postel, J., ”Transmission Control Protocol”, RFC-793, USC/Information Science Institute, 1981.
  7. Postel, J., ”Internet Control Message Protocol”, RFC-792, USC/Information Science Institute, 1981.
  8. Richard Stevens - “TCP/IP Illustrated : Volume 1”, 2001.
  9. Security Software Inc., “Antisniff”, Technical Report 2000, “http://www.securitysoftwaretech.com”,
  10. S. Grundschober. “Sniffer Detector Report”, Diploma Thesis, IBM Research Division, Zurich Research Laboratory, Global Security Analysis Lab, June 1998.
  11. J. Drury., “Sniffers: What are they and how to protect from them”, November 11, 2000. http://www.sans.org/.
  12. D. Wu and F. Wong., “Remote Sniffer Detection”. Computer Science Division, University of California, Berkeley. December 14, 1998.
  13. Daiji Sanai, “Detection of Promiscuous Nodes Using ARP Packets”, http://www.securityfriday.com/.
  14. Nmap Tools, http://securityfocus.com.
  15. Zouheir Trabelsi, and all, “Malicious Sniffing Systems Detection Platform”, The IEEE/IPSJ 2004 International Symposium on Applications and the Internet (SAINT2004)”, Tokyo, Japan, January 26-30, 2004.
  16. PromiScan anti-sniffer: “http://www.securityfriday.com”.
  17. PMD (Promiscuous Mode Detector): “http://webteca.port5.com”. 19.L0phtAntiSniff:“http://www.l0pht.com/antisniff/”
Download


Paper Citation


in Harvard Style

Trabelsi Z. and Rahmani H. (2004). Promiscuous Mode Detection Platform . In Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004) ISBN 972-8865-07-4, pages 279-292. DOI: 10.5220/0002682902790292


in Bibtex Style

@conference{wosis04,
author={Zouheir Trabelsi and Hamza Rahmani},
title={Promiscuous Mode Detection Platform},
booktitle={Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004)},
year={2004},
pages={279-292},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002682902790292},
isbn={972-8865-07-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004)
TI - Promiscuous Mode Detection Platform
SN - 972-8865-07-4
AU - Trabelsi Z.
AU - Rahmani H.
PY - 2004
SP - 279
EP - 292
DO - 10.5220/0002682902790292