From owner-freebsd-questions@FreeBSD.ORG Fri Oct 7 15:03:12 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87C0416A41F for ; Fri, 7 Oct 2005 15:03:12 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from vms042pub.verizon.net (vms042pub.verizon.net [206.46.252.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D81D43D46 for ; Fri, 7 Oct 2005 15:03:12 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.161.71.31]) by vms042.mailsrvcs.net (Sun Java System Messaging Server 6.2 HotFix 0.04 (built Dec 24 2004)) with ESMTPA id <0INZ00EM0WHASXH0@vms042.mailsrvcs.net> for freebsd-questions@freebsd.org; Fri, 07 Oct 2005 10:03:11 -0500 (CDT) Date: Fri, 07 Oct 2005 11:03:13 -0400 From: Chuck Swiger In-reply-to: <20051007140243.7558.qmail@rahul.net> To: John Conover , freebsd-questions Message-id: <43468E31.4000900@mac.com> Organization: The Courts of Chaos MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7bit X-Accept-Language: en-us, en References: <20051007084807.13455.qmail@rahul.net> <43467C12.1060001@mac.com> <20051007140243.7558.qmail@rahul.net> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Cc: Subject: Re: Security risk associated with a NIC's promiscuous mode? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2005 15:03:12 -0000 John Conover wrote: [ ... ] >> A mild one. For example, I believe there was recently a security bug in >> tcpdump's string handling which could be exploited by tcpdump seeing a >> maliciously-crafted packet. Running the NIC in promisc mode means that packet >> just has to go by, rather than being sent specificly to the machine running the >> sniffer... >> >> In other words, it's not a great idea to run a sniffer on your most important >> fileserver or whatever, rather than an isolated laptop or other test system. > > Thanks, Chuck; That's the kind of stuff I was concerned about. Sure, you're welcome. The issue is much like building out (or writing code for) a firewall or router or IDS. Anything which gets exposed to untrusted traffic ought to be considered "at risk", and the software ought to be written with extreme care to not trust the data-- don't trust an IP packet to really tell you what size it is (you may not have sniffed all of that data, depending on how you configured PCAP or BPF), don't trust Content-length headers in email or HTTP traffic to be valid without double-checking (trying to memcpy -1 bytes makes programs unhappy [1]), don't trust headers to be of reasonable size, etc. If at all possible, anything running a sniffer ought to be dedicated for the purpose, or only used for brief periods by a human sysadmin (ie, not running forever under the incurious gaze of a daemon). If possible and convenient, the rest of your network should not trust or depend on your sniffer box at all. -- -Chuck [1]: On the other hand, being able to drop -1 gold pieces in Hack could be considered a feature, at least to most people. :-)