From owner-freebsd-security Thu Sep 9 21:55:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id 030371524B for ; Thu, 9 Sep 1999 21:55:26 -0700 (PDT) (envelope-from dscheidt@enteract.com) Received: (qmail 76779 invoked from network); 10 Sep 1999 04:54:05 -0000 Received: from shell-1.enteract.com (dscheidt@207.229.143.40) by pop3-3.enteract.com with SMTP; 10 Sep 1999 04:54:05 -0000 Date: Thu, 9 Sep 1999 23:54:05 -0500 (CDT) From: David Scheidt To: James Wyatt Cc: Mark Newton , Goran.Lowkrantz@infologigruppen.se, freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 9 Sep 1999, James Wyatt wrote: > On Fri, 10 Sep 1999, Mark Newton wrote: > > James Wyatt wrote: > > > After reading the AntiSniff stuff by the L0pht folks, I'm not so sure. I > > > could send an attack packet to your machine with a forged (or real) return > > > address. When you look-up the hostname in DNS during capture or reporting, > > > I could see (sniff DNS server ENet, hack DNS server, etc) the DNS query > > > and know you saw my packet. > > > > How are you going to do that when I can't transmit any packets? > > Maybe *it* can't, but where I've seen these used, there is one or more > card(s) setup in sniff-only mode (snip!), but another card (usually behind > the firewall) to access the machine. If you are looking at the packets on > that or another machine, your package might be nice enough to look-up the > addresses on the packets. If I see the DNS query for it, I know you have > been looking at my attack packets, don't I? Which is why the machine doing the sniffing has to do its look ups on a network that is invisible to any of the machines it's sniffing. That, or you don't do the lookups on-line. > > Maybe the sniffing adapter can't transmit, but if there is *any* lookup on > the information received from it, you become *very* visible. Only if the sniffer-sniffer can see your lookups. Some care is in order in setting things up, clearly. That is true of all security though, so this shouldn't be a shock. > > Honest, go read the anti-sniff stuff by L0pht, it is just damn good > thinking about how things really work. Before I read the work, I would > have said some of it was impossible. Now that I have, I can write some of > it. The insight provided was insiprational. - Jy@ > Indeed. It is really quite impressive thinking. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message