Thursday, September 3, 2009

Protection against packet sniffers

Share Orkut

Some while back when I was using a SIFY Broadband connection, there was this particular period when all transfers on LAN as well as net speeds dropped drastically. I felt very weird about the fact that this happened almost every day at around 6pm. There was only one cause I knew of (mentioned in the previous post), which could have such an effect; someone is doing a MITM or Man in the Middle attack.


 

So how do we detect these guys?

Firstly I have only tried this trick in my network, I'm not sure it will work with you; but you can still give it a try.

  • Start a sniffer like Wireshark, sniff for some time when you think the attack is being carried out. Now from the captured packets, separate out the DNS request packets and search for reverse DNS lookups. If at all there's an attacker who is sniffing or doing a MITM, there are bound to be reverse DNS lookups, either by the application or manually.
  • If any system on a network responds to a ARP request that is sent to a non-broadcast address, that means that the system is clearly in promiscuous mode.
  • Later on I found this handy tool XArp http://www.chrismc.de/developing/xarp/.
  • Also on a windows machine command prompt the "arp –a" command will show you your ARP entries, and "arp –d *" command will delete all entries in your ARP table.

0 comments:

Post a Comment

Write your comment here