From owner-freebsd-net Tue May 23 18:35:29 2000 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 96D9337BB3D for ; Tue, 23 May 2000 18:35:21 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 19335 invoked by uid 1000); 24 May 2000 01:35:17 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 May 2000 01:35:17 -0000 Date: Tue, 23 May 2000 20:35:17 -0500 (CDT) From: Mike Silbersack To: Olaf Hoyer Cc: freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode In-Reply-To: <4.1.20000524031209.027cb820@mail.rz.fh-wilhelmshaven.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 May 2000, Olaf Hoyer wrote: > Its a chaotic peer-to-peer network, with a DHCP server and a gateway to > university. > We already had some sniffer attack to sniff out Pop3 passwords. > ... > I mean with fake adress that you pretend that your NIC had a differentz > adress fro,m that stored in PROM. > > Say, your NIC had an adress of (fictional) 00:00:00:1e:3d:2a and you could > make it appear to other boxes on the same network as say, > 3e:2e:4b:3d:5c:00, in this case I'd like to know > a) how this is done and > b) how can it be detected Well, as one of those pesky students who has reprogramming his MAC address on multiple occasions (so DHCP would give me the same IP when switching NICs), I'm curious why that's a problem. Changing IPs doesn't really pose any threat that I'm aware of, unless you're impersonating the gateway. (Such attacks may be doable even without changing MAC addresses, actually. I think impersonating the DHCP server would do - no packet sniffing required!) However, that's really unimportant anyway; it sounds like you're using regular hubs from your above statements. You should probably just get cheap switches; any other countermeasures to prevent sniffers are just going to take a lot of time, and not really be effective. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message