How to discover and prevent Sniffer

Editor's note: Sniffer is often used by attackers after they intrude into the system to collect useful information. Therefore, Preventing System breakthroughs is critical. The system security administrator should conduct regular security tests on the managed networks to prevent security risks. At the same time, you must control the number of users with considerable permissions. Remember that many attacks often come from inside the network.

One simple answer is that you cannot find an Sniffer in the network. Because they have not left any trace at all, sniffer is so arrogant and quiet. It is also difficult to explain how to know whether sniffer exists.

Find network sniffer
I. Abnormal packet loss rate of network communication
Through some network software, you can see the information package transfer situation, ping such a command will tell you a few packets. If there is a Listen in the network, the information package cannot be transmitted smoothly to the destination every time. (This is because sniffer intercepts each packet ).

Ii. Abnormal network bandwidth
Some bandwidth controllers (usually in the firewall) can view the current network bandwidth distribution in real time. If a machine occupies a large bandwidth for a long time, this machine may be listening. In non-high-speed channels, such as 56Kddn, if there is sniffer in the network, you should be able to detect changes in network communication speed.

3. view all programs currently running on the computer.
But this is generally not reliable, but it can control the running of programs in the computer. Run the following command in Unix: ps-aux or: ps-augx. This command lists all current processes, the users who start these processes, their CPU usage time, memory usage, and so on.

In Windows, press Ctrl + Alt + Del to check the task list. However, Sniffer with high programming skills won't appear here even if it is running.

Search for suspicious files in the system. However, intruders may use their own programs, which may cause great difficulties in discovering sniffer.

There are also many tools that can be used to see if your system will be in the miscellaneous mode. To check whether a Sniffer is running.

Prevents inbound sniffer
For the powerful 'sensitiveness 'of the sniffer, you may be most concerned with transmitting sensitive data, such as user IDs or passwords. Some data is not processed, and the information can be obtained once it is sniffer. The solution to these problems is encryption.

SSH, full name: Secure Shell, is a protocol that provides Secure Communication in applications and is built on the client/server model. The port allocated by the SSH server is 22, and the connection is established by using an algorithm from RSA. After authorization is complete, the next communication data is encrypted using IDEA technology. This is usually strong and suitable for non-secret and non-classic communication.

SSH was later developed into F-SSH, providing high-level, military-level encryption of the communication process. It provides the most universal encryption for TCP/IP network communication. If a site uses a F-SSH, the user name and password are not very important. Currently, no one has broken through this encryption method. Even sniffer, the collected information will no longer be valuable. Of course, the most important thing is how to use it.

Alternative security method
Another option is to use a security topology. This sounds simple, but it costs a lot. Such a topology requires such a rule: a network segment must have enough reason to trust another network segment. Network segments should be designed based on the trust relationship between your data, rather than the hardware needs. When you start to process the network topology, you must do the following:

First: a network segment is composed of only computers that can trust each other. Usually they are in the same room or in the same office. For example, your financial information should be fixed at a certain node, just as your financial department is arranged in a location that is not frequently changed in the office area.

Second, note that each machine is connected to the Hub through a hard connection. The Hub is connected to the vswitch. Because the network segment is complete, packets can only be sniffer on this network segment. The remaining CIDR blocks cannot be sniffer.

Third: All problems come down to trust. To communicate with other computers, a computer must trust that computer. As a system administrator, your job is to determine a way to minimize the trust relationship between computers. In this way, a framework is established to tell you when a sniffer is put, where it is put, who put it, and so on.

Fourth: If your LAN is connected to the INTERNET, it is not enough to use a firewall. Intruders can scan behind a firewall and detect running services. What you need to care about is what an intruder can get when he enters the system. You must consider how long the trust relationship is. For example, assume that your WEB server trusts A computer. So how many computers are trusted by. How many computers are trusted by these computers? In the trust relationship, any previous computer on this computer may attack your computer and succeed. Your task is to ensure that once an Sniffer occurs, it is only valid for the minimum range.