Defense sniffer (zz)

The biggest risk of sniffer is that it is hard to be found. It is easy to find a sniffer in a single machine. You can view all the currently running Program Of course, this is not necessarily reliable. From: laky.blog.edu.cn

In a UNIX system, run the following command: PS-Aux. This command lists all current processes, the users who start these processes, the CPU usage time, and the memory usage.

In the OS, press CTRL + ALT + DEL to view the task list. However, sniffer with high programming skills does not appear here even if it is running.

Another method is to search for suspicious files in the system. However, attackers may use their own programs, which makes it very difficult to find sniffer. There are also a number of tools that can be used to check whether your system is in the mixed mode and whether there is a sniffer running. However, it is very difficult to detect which host is running sniffer on the network, because sniffer is a passive attack software that does not send packets to any host, it only runs quietly, waiting for the packets to be captured to pass through. From: laky.blog.edu.cn

Sniffer defense

Although it is very difficult to find a sniffer, we still have a way to defend against sniffer sniffing attacks. Since sniffer wants to capture our confidential information, we just want it to capture it, but we need to encrypt it in advance. Even if hackers have captured our confidential information, they cannot decrypt it, in this way, Sniffer becomes useless.

Hackers mainly use sniffer to capture packets such as telnet, FTP, and POP3, because these protocols are transmitted in plain text on the Internet, we can use a security protocol called SSH to replace Telnet and other protocols that are vulnerable to sniffer attacks. From: laky.blog.edu.cn

Ssh, also known as Secure Shell, is a protocol that provides Secure Communication in applications and is built on the customer/server model. The port allocated by the SSH server is 22.AlgorithmCreated. After authorization is complete, the next communication data is encrypted using idea technology. This encryption method is usually strong and suitable for any non-secret and non-classic communication.

SSH was later developed into F-SSH, providing high-level, military-level encryption of the communication process. It provides the most universal encryption for network communication through TCP/IP. If a site uses a F-SSH, the user name and password are no longer important. Currently, no one has broken through this encryption method. Even sniffer, the collected information will no longer be valuable. For more information, see ssh-related books.

Another method to defend against sniffer attacks is to use a secure topology. Because sniffer only applies to Ethernet, card ring network, and other networks, the network of the switching device should be used as much as possible to prevent sniffer from eavesdropping on packets of its own. There is also a rule to prevent passive snther attacks. A network segment must have enough reason to trust another network segment. Network segments should be designed based on the trust relationship between specific data, rather than the hardware needs. A network segment consists of only computers that can trust each other. Usually they are in the same room, or in the same office, they should be fixed in a certain part of the building. Note that each machine is connected to the hub through a hard connection, and the hub is then connected to the switch. Because the network segment is complete, data packets can only be captured on this network segment, and other network segments cannot be monitored.

All problems are attributed to trust. To communicate with other computers, a computer must trust that computer. The work of the system administrator is to determine a method, so that the trust relationship between computers is very small. In this way, a framework is established to tell you when to place a sniffer, where it is put, who put it, and so on. From: laky.blog.edu.cn

If the LAN is connected to the Internet, simply using the _ blank "> firewall is not enough. Attackers can scan the firewall and detect running services. You should be concerned about what a person can get when they enter the system. You must consider how long the trust relationship is. For example, if your web server trusts computer a, how many computers do it trust? How many computers are trusted by these computers? In a word, it is the computer that determines the minimum trust relationship. In the trust relationship, any previous computer on this computer may attack your computer and succeed. Your task is to ensure that once sniffer occurs, it is only valid for the minimum range.

Sniffr is often used after attackers intrude the system and is used to collect useful information. Therefore, it is critical to prevent the system from being broken through. The system security administrator should conduct regular security tests on the managed networks to prevent security risks. At the same time, you must control the number of users with considerable permissions, because many attacks often come from inside the network.

Antisnff, a tool for sniffer prevention

AntiSniff is a tool developed by L0pht, a well-known hacker organization (now a security company). It is used to detect whether machines on the local network are in hybrid mode (that is, the listening mode ).

A machine in hybrid mode means it is likely to have been intruded and installed with sniffer. For network administrators, it is important to know which machine is in a hybrid mode for further research.

AntiSniff 1.x runs on an Ethernet Windows NT system and provides an easy-to-use GUI. The tool tests in multiple ways whether the remote system is capturing and analyzing packets that are not sent to it. These test methods are independent of the operating system itself.

AntiSniff runs on a CIDR Block of the local Ethernet. If the network runs in a non-switched Class C network, AntiSniff can monitor the entire network. If the network switch is isolated by the Working Group, an AntiSniff is required in each working group. The reason is that some special tests use invalid Ethernet addresses, and some tests require statistics in mixed mode (such as response time and packet loss rate ).

AntiSniff is easy to use. In the graphical interface of the tool, select the machine to be checked and specify the check frequency. For tests except the network response time check, each machine returns a fixed positive or negative value. The returned positive value indicates that the machine is in hybrid mode, which may have been installed with sniffer. From: laky.blog.edu.cn

For the returned values of the network response time test, we recommend that you calculate the standard value based on the values returned for the first time, and then check the machines whose results have greatly changed during the flood and non-flood tests. Once these machines exit the hybrid mode and return to the normal operation mode, the next test of AntiSniff records the difference (positive value) between the hybrid mode and the non-hybrid mode ). From: laky.blog.edu.cn

AntiSniff should be run cyclically. The specific cycle value varies depending on the site, network load, number of machines tested, and website policy.