From owner-freebsd-security  Thu Sep  9 21:25:26 1999
Delivered-To: freebsd-security@freebsd.org
Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2])
	by hub.freebsd.org (Postfix) with ESMTP id 1418114EF6
	for <freebsd-security@FreeBSD.ORG>; Thu,  9 Sep 1999 21:25:13 -0700 (PDT)
	(envelope-from jwyatt@rwsystems.net)
Received: from bsdie.rwsystems.net([209.197.223.2]) (1958 bytes) by bsdie.rwsystems.net
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <jwyatt@rwsystems.net>) 
	id <m11PHqO-000CC2C@bsdie.rwsystems.net>
	for <freebsd-security@FreeBSD.ORG>; Thu, 9 Sep 1999 22:59:24 -0500 (CDT)
	(Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7)
Date: Thu, 9 Sep 1999 22:59:24 -0500 (CDT)
From: James Wyatt <jwyatt@rwsystems.net>
To: Mark Newton <newton@atdot.dotat.org>
Cc: Goran.Lowkrantz@infologigruppen.se, freebsd-security@FreeBSD.ORG
Subject: Re: Lisen only NIC
In-Reply-To: <199909092251.IAA74937@atdot.dotat.org>
Message-ID: <Pine.BSF.4.10.9909092253190.48713-100000@bsdie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 10 Sep 1999, Mark Newton wrote:
> James Wyatt wrote:
>  > After reading the AntiSniff stuff by the L0pht folks, I'm not so sure. I
>  > could send an attack packet to your machine with a forged (or real) return
>  > address. When you look-up the hostname in DNS during capture or reporting,
>  > I could see (sniff DNS server ENet, hack DNS server, etc) the DNS query
>  > and know you saw my packet.
> 
> How are you going to do that when I can't transmit any packets?

Maybe *it* can't, but where I've seen these used, there is one or more
card(s) setup in sniff-only mode (snip!), but another card (usually behind
the firewall) to access the machine. If you are looking at the packets on
that or another machine, your package might be nice enough to look-up the
addresses on the packets. If I see the DNS query for it, I know you have
been looking at my attack packets, don't I?

Maybe the sniffing adapter can't transmit, but if there is *any* lookup on
the information received from it, you become *very* visible.

Honest, go read the anti-sniff stuff by L0pht, it is just damn good
thinking about how things really work. Before I read the work, I would
have said some of it was impossible. Now that I have, I can write some of
it. The insight provided was insiprational. - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message