One of the many factors that contribute to the high success rate of persistent attacks is its “low-and-slow” approach. Speaking of “low-and-slow,” detecting passive attackers in a network hasn’t been the most exciting things in the security world.
I recently came across a paper , written quite a while ago, that discusses techniques that can be used to detect machines in promiscuous mode (i.e. monitoring all network connections). This paper referenced heavily on the techniques used by AntiSniff, a tool developed by security group – L0pht Heavy Industries – more than a decade ago.
AntiSniff uses various non-intrusive tests to determine whether a machine is in promiscuous mode. I will attempt to highlight two of such techniques that are simple but effective – (1) DNS test and (2) Machine Latency test.
DNS test exploit the curiosity of an attacker. Firstly, AntiSniff will send out a network packet destined to a bogus machine. If any machine that attempts to perform a DNS lookup on the bogus packet, a network packet sniffer might be in action on that machine.
Machine Latency Test
An even simpler test is through the use of network performance baseline results. AntiSniff will send an ICMP echo requests to all machine in the network. It then compares each response with the baseline result. Machine(s) that have a much higher latency time might be running in promiscuous mode.
Packet Sniffer Detection with AntiSniff, Ryan Spangler. May, 2003.
AntiSniff software allows you to turn the tables on packet sniffers, Dave Kearns. August, 1999.