Packet sniffers are out there searching for vulnerabilities in your network. We detail several possible signs of intrusion, teach the old "bait-and-sniff" routine, and sign off with a useful link.

by Brien Posey of CrossNodes, an EarthWeb site [July 20, 2001]

One of the oldest methods of stealing information off of a network is through packet sniffing (making a copy of each packet as it flows across the network).

While this may prove a boon for network managers for traffic analysis, it is also a tool for malevolent hackers. Today, protocols such as IPSec are designed to prevent packet sniffing by encrypting packets. However, many networks have not yet employed this encryption technology, or are only encrypting a portion of their data. Because of this, packet sniffing is still a viable method for stealing information.

The reason that packet sniffing works is due to the way Ethernet networks send their packets. Any time that a PC sends out a packet, it is sent out as a broadcast. This means that every PC on the network sees the packet. However, every PC is supposed to ignore the packet, except for the PC that is its intended destination.

In the past, it was difficult to tell if anyone on your network is engaging in packet sniffing. After all, no one was hacking into a server or anything, so the audit logs wouldn't indicate any sort of unusual activity. A person who is packet sniffing is merely reading information as it comes to them.

Sniffing out the tell-tale signs of packet sniffing
Fortunately, there are some tell-tale signs that may signal unauthorized interception. If the suspected hacker has limited resources, they may try to use the Network Monitor utility for packet sniffing. (A limited version of Network Monitor comes with Windows NT and Windows 2000, and a full-featured version comes with SMS Server.)

Network Monitor is a good choice for the small time hacker because it's easy to come by and relatively easy to use, compared to some of the other packet sniffers that are available. Happily, it's really easy to tell if someone is using the Network Monitor utility. To do so, simply select the Identify Network Monitor Users command from Network Monitor's Tools menu.

What if the hacker is using one of the dozens of other available sniffing utilities? While there's no foolproof way to spot someone who's packet sniffing, there are some good indicators. Perhaps the best is your DNS database.

Any time that a system needs to resolve a host's IP address, it sends a query that is based on the host name to a DNS server. The DNS server then looks up the host name in its database and returns the host's IP address. If a hacker were running a packet sniffing program that displays host names (most of them do), then the machine doing the packet sniffing would generate an extremely large volume of DNS queries.

Bait and sniff
Try watching for machines that are performing lots of DNS lookups. Although a high volume of DNS lookups alone doesn't necessarily indicate packet sniffing, it's a good indicator. If you suspect that a particular machine might be packet sniffing, try setting up a bait machine.

A bait machine is a PC that no one knows exists. Plug it up to the network and generate a small amount of network traffic. As you do, keep an eye on the DNS queries to see if the suspected machine ran a DNS query on the bait machine. If it did, then it's almost certainly sniffing packets.

Another popular method for spotting packet sniffing is to measure the response time of the suspected machine. This technique is tricky and fairly unreliable, but it will at least let you know if you're on the right track. The idea is to ping the suspected machine in order to measure the response time. After doing so, generate some network traffic that a suspected malevolent hacker might be interested in.

Remember that someone who's sniffing packets probably wouldn't want to copy every packet because of the sheer volume of information. Instead, they would probably set up a packet filter and only copy the packets that they're interested in, such as those used for authentication. Therefore, have several of your co-workers log in and out repetitively while you re-measure the suspected PC's response time. If the response time hasn't changed much, then the PC probably isn't sniffing packets, but if you get a really slow response then there's a good chance that the PC is sniffing packets.

Utilities exist that use the methods that I've discussed and a few others to track down packet sniffers. One of the better tools is a program called AntiSniff. You can download a free 15 day-trial of the Windows version of AntiSniff or a free version for UNIX from www.securitysoftwaretech.com/antisniff/download.html.

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.

—End 

Related articles:
	[Apr. 19, 2001]	Slipping IPSec Past NAT
[Dec. 30, 2000]	Port Scans Are Legal
	[Nov. 10, 2000]	Detecting Promiscuity on Your LAN