Date: Thu, 9 Sep 1999 22:59:24 -0500 (CDT) From: James Wyatt <jwyatt@rwsystems.net> To: Mark Newton <newton@atdot.dotat.org> Cc: Goran.Lowkrantz@infologigruppen.se, freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC Message-ID: <Pine.BSF.4.10.9909092253190.48713-100000@bsdie.rwsystems.net> In-Reply-To: <199909092251.IAA74937@atdot.dotat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 10 Sep 1999, Mark Newton wrote: > James Wyatt wrote: > > After reading the AntiSniff stuff by the L0pht folks, I'm not so sure. I > > could send an attack packet to your machine with a forged (or real) return > > address. When you look-up the hostname in DNS during capture or reporting, > > I could see (sniff DNS server ENet, hack DNS server, etc) the DNS query > > and know you saw my packet. > > How are you going to do that when I can't transmit any packets? Maybe *it* can't, but where I've seen these used, there is one or more card(s) setup in sniff-only mode (snip!), but another card (usually behind the firewall) to access the machine. If you are looking at the packets on that or another machine, your package might be nice enough to look-up the addresses on the packets. If I see the DNS query for it, I know you have been looking at my attack packets, don't I? Maybe the sniffing adapter can't transmit, but if there is *any* lookup on the information received from it, you become *very* visible. Honest, go read the anti-sniff stuff by L0pht, it is just damn good thinking about how things really work. Before I read the work, I would have said some of it was impossible. Now that I have, I can write some of it. The insight provided was insiprational. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9909092253190.48713-100000>