Firewalls: Re: prevalence of sniffing ?

Firewalls
(July 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: prevalence of sniffing ?
From:	Brent Chapman <brent @ mycroft . GreatCircle . COM>
Date:	Thu, 28 Jul 1994 15:06:08 -0700
To:	heiser @ acs . bu . edu (Bill Heiser)
Cc:	firewalls @ greatcircle . com
In-reply-to:	Your message of Thu, 28 Jul 1994 14:31:12 -0400 (EDT)

heiser @
 acs .
 bu .
 edu (Bill Heiser) writes:

# 
# Christopher Klaus <cklaus @
 shadow .
 net> wrote:
# 
# > ifconfig le0 on a sun will let you know if the device is in promiscious
# > mode.  cert also has a program that will let you know if the interface is in
# > promiscious mode.  this only works on suns (which is where most sniffing
# > is being done).                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#   ^^^^^^^^^^^^^
# 
# Really?  On what data is this statement based?  Is there a survey
# or report that details which systems are sniffing packets?  This 
# would be most interesting!

Folks from CERT have made this comment publicly several times.  Most
of the crackers doing snooping are running one particular program (I
forget the name) which is widely available in the cracker community.
The program works with Sun's /dev/nit interface, and thus only works
on Suns.

Crackers certainly could write sniffer programs for other platforms;
however, most of them don't seem to be that skilled (thank goodness!).
It seems that there are a very small number of crackers out there who
are actually writing significant new code; unfortunately for us, some
of them are very talented.  The majority of them are running code they
got from somebody else, with little or no understanding of what it
does or how it works.

# It would seem to me that with the prevalence of home and academic machines
# on the net, that They would be the most common "sniffers", REGARDLESS of
# platform (i.e. there are lots of Free-Unix boxes out there)...

What makes you think Suns aren't academic machines?  I don't mean to
start another Sun vs. IBM vs. DEC vs. * flamewar here, but Suns are
one of the most common machines at Universities.  They're an IDEAL
target for this kind of attack, precisely because they are so
ubiquitous.

Yes, there are home machines out there, with who-knows-what software
running on them.  Most of them aren't in a position to see anything
interesting.  In order to carry out a sniffing attack, there has to be
traffic going past the machine (usually on the Ethernet the machine is
on) to be sniffed.


-Brent
--
Brent Chapman         | Great Circle Associates  | Call or email for info about
Brent @
 GreatCircle .
 COM | 1057 West Dana Street    | upcoming Internet Security 
+1 415 962 0841       | Mountain View, CA  94041 | Firewalls Tutorial dates

Follow-Ups:

Re: prevalence of sniffing ?
From: sgcccdc @ citec . qld . gov . au (Colin Campbell)
Re: prevalence of sniffing ?
From: Tim Newsham <newsham @ uhunix . uhcc . Hawaii . Edu>

Indexed By Date	Previous:	Re: prevalence of sniffing ? From: Ed DeHart <dehart @ info . pgh . pa . us>
Indexed By Date	Next:	Human failability (Was FW: NCSC and modern ratings) From: Adam Shostack <adam @ bwh . harvard . edu>
Indexed By Thread	Previous:	Re: prevalence of sniffing ? From: robp @ anubis . network . com (Rob Peglar)
Indexed By Thread	Next:	Re: prevalence of sniffing ? From: Tim Newsham <newsham @ uhunix . uhcc . Hawaii . Edu>