GOALS - PURPOSE - GOALS - PURPOSE - GOALS - PURPOSE
The Goal and Purpose of AntiSniff
As with all tools there is no "one size fits all". The industry clambers
for the silver bullet tool. A tool that comes directly off the shelf,
needs no configuration or modifications, has one hundred percent accuracy,
and is completely foolproof. Such a tool does not exist in the security
world.
AntiSniff raises the bar. It is, in lieu of better terminology, the start
of an arms-race. Previously there existed no commercial tool to do what
AntiSniff does. It has been run in large scale organizations with great
results and accuracy. So what does it do and what does it not do?
The goal:
Detect machines on an Ethernet/IP network segment that are promiscuously
monitoring traffic not destined to them. The first release is designed to
work on flat non-switched environments.
The reason:
When an intruder obtains elevated privileges on a remote system a few
things can usually be expected. The machine is placed in promiscuous mode
to monitor traffic on the network. This often times rewards the intruder
with usernames, accounts, passwords, community strings, e-mail, and usage
statistics to name just a few. Knowing which machines on the network are
in promiscuous mode often points to machines that are already compromised.
Once a machine is compromised it is not uncommon for the holes that were
exploited to be fixed and backdoors to be installed allowing future remote
access. A machine in this state might very well pass network security
scanning software checks with flying colors. A tool was needed to detect
this situation.
What it will not detect:
If a machine on the network has no IP address, no IP stack associated with
any of its interfaces, or has no ability to be communicated with over the
network then AntiSniff will not detect it.
This is perfectly acceptable, as such a machine would not be compromised
over the network in the first place. If the machine were compromised over
the network and the network interface was removed this should be
noticeable many other ways (i.e. shouts down the hallway of "hey Joe! The
R&D server stopped working!" are a dead giveaway to a problem of some
sort). If the device in question is a physical machine that must be
monitored or controlled in person, such as a dedicated hardware sniffer,
then physical access to the network in question has been obtained. This is
a completely different problem. In addition, such physical network tap
devices are usually quite good at monitoring for runt frames, duplicate IP
addresses, etc. but are usually quite poor at correlating data inside the
packets for malicious purposes.
There will be other situations that arise with similar nuances. However,
these will be the minority and often legitimate systems as opposed to
compromised multi-user machines.
The Arms Race:
Can AntiSniff be defeated? Yes - anything can be defeated. Does this
matter? Not nearly as much as one might think. Currently, the methods of
evading AntiSniff deal with either making an interface non-addresable or
adding in logic to the promiscuous network monitoring program to stop
monitoring the network when it sees tell tale signs of AntiSniff running.
The former is not an issue, the reasoning already having been discussed
above. The latter, while a fun exercise, is less of an issue than one
might expect. First, if the monitoring agent turns itself off when it
believes AntiSniff to be running then it defeats, or severely impacts, the
purpose of it being on the system in the first place. Second, the
signature of AntiSniff can be modified by the user. With modifiable
signatures the task of determining what is and what is not AntiSniff
running on the network should be much less accurate.
It is not our goal to fix the security posture of the world with a single
product. Merely to improve the current status and sufficiently raise the
bar that attacks intrusions are measured against.
|