Date: Thu, 9 Sep 1999 23:54:05 -0500 (CDT) From: David Scheidt <dscheidt@enteract.com> To: James Wyatt <jwyatt@rwsystems.net> Cc: Mark Newton <newton@atdot.dotat.org>, Goran.Lowkrantz@infologigruppen.se, freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC Message-ID: <Pine.NEB.3.96.990909234832.80920B-100000@shell-1.enteract.com> In-Reply-To: <Pine.BSF.4.10.9909092253190.48713-100000@bsdie.rwsystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 9 Sep 1999, James Wyatt wrote: > On Fri, 10 Sep 1999, Mark Newton wrote: > > James Wyatt wrote: > > > After reading the AntiSniff stuff by the L0pht folks, I'm not so sure. I > > > could send an attack packet to your machine with a forged (or real) return > > > address. When you look-up the hostname in DNS during capture or reporting, > > > I could see (sniff DNS server ENet, hack DNS server, etc) the DNS query > > > and know you saw my packet. > > > > How are you going to do that when I can't transmit any packets? > > Maybe *it* can't, but where I've seen these used, there is one or more > card(s) setup in sniff-only mode (snip!), but another card (usually behind > the firewall) to access the machine. If you are looking at the packets on > that or another machine, your package might be nice enough to look-up the > addresses on the packets. If I see the DNS query for it, I know you have > been looking at my attack packets, don't I? Which is why the machine doing the sniffing has to do its look ups on a network that is invisible to any of the machines it's sniffing. That, or you don't do the lookups on-line. > > Maybe the sniffing adapter can't transmit, but if there is *any* lookup on > the information received from it, you become *very* visible. Only if the sniffer-sniffer can see your lookups. Some care is in order in setting things up, clearly. That is true of all security though, so this shouldn't be a shock. > > Honest, go read the anti-sniff stuff by L0pht, it is just damn good > thinking about how things really work. Before I read the work, I would > have said some of it was impossible. Now that I have, I can write some of > it. The insight provided was insiprational. - Jy@ > Indeed. It is really quite impressive thinking. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96.990909234832.80920B-100000>