How to handle Sniffer attacks with ease

Sniffer attacks are based on network sniffing technology. These attacks are favored by hackers because of their strong concealment. If an Sniffer attack is successfully applied, the harm to the enterprise is very high. Enterprise information data may be obtained by hackers. How to discover and defend against Sniffer attacks becomes a major topic.

 
1. How to discover Sniffer attacks

In a UNIX system, run the following command: ps-aux. This command lists all current processes, the users who start these processes, the CPU usage time, and the memory usage. In the OS, press Ctrl + Alt + Del to view the task list. However, Sniffer attacks with high programming skills won't appear here even if they are running.

Another method is to search for suspicious files in the system. However, attackers may use their own programs, which makes it very difficult to discover Sniffer attacks. There are also many tools that can be used to check whether your system is in the hybrid mode and whether a Sniffer attack is running. However, it is very difficult to detect which host is running the Sniffer attack on the network, because the Sniffer attack is a passive attack software that does not send packets to any host, it only runs quietly, waiting for the packets to be captured to pass through.

2. Defend against Sniffer attacks

Although it is very difficult to find a Sniffer attack, we still have a way to defend against the Sniffer attack. Since the Sniffer attack needs to capture our confidential information, we just need to let it capture it, but we need to encrypt it in advance. Even if hackers have captured our confidential information, they cannot decrypt it, in this way, the Sniffer attack is ineffective.

 
Hackers mainly use Sniffer attacks to capture packets such as Telnet, FTP, and POP3, because these protocols are transmitted in plain text on the Internet, we can use a security protocol called SSH to replace Telnet and other protocols that are vulnerable to Sniffer attacks.

 
SSH, also known as Secure Shell, is a protocol that provides Secure Communication in applications and is built on the customer/server model. The port allocated by the SSH server is 22, and the connection is established by using an algorithm from RSA. After authorization is complete, the next communication data is encrypted using IDEA technology. This encryption method is usually strong and suitable for any non-secret and non-classic communication.

SSH was later developed into F-SSH, providing high-level, military-level encryption of the communication process. It provides the most universal encryption for network communication through TCP/IP. If a site uses a F-SSH, the user name and password are no longer important. Currently, no one has broken through this encryption method. Even if it is an Sniffer attack, the collected information will no longer be valuable. For more information, see SSH-related books.

Another method to defend against Sniffer attacks is to use a secure topology. Because Sniffer attacks only work on Ethernet, card ring networks, and other networks, try to use the network of switching devices to prevent Sniffer attacks from eavesdropping on packets that do not belong to themselves. There is also a rule to prevent passive Snther attacks. A network segment must have enough reason to trust another network segment. Network segments should be designed based on the trust relationship between specific data, rather than the hardware needs. A network segment consists of only computers that can trust each other. Usually they are in the same room, or in the same office, they should be fixed in a certain part of the building. Note that each machine is connected to the Hub through a hard connection, and the Hub is then connected to the switch. Because the network segment is complete, data packets can only be captured on this network segment, and other network segments cannot be monitored.

All problems are attributed to trust. To communicate with other computers, a computer must trust that computer. The work of the system administrator is to determine a method, so that the trust relationship between computers is very small. In this way, a framework is established to tell you when a Sniffer attack is put, where it is put, who put it, and so on.

If the LAN is connected to the Internet, it is not enough to use a firewall. Attackers can scan a firewall and detect running services. You should be concerned about what a person can get when they enter the system. You must consider how long the trust relationship is. For example, if your Web server trusts computer A, how many computers do it trust? How many computers are trusted by these computers? In a word, it is the computer that determines the minimum trust relationship. In the trust relationship, any previous computer on this computer may attack your computer and succeed. Your task is to ensure that once an Sniffer attack occurs, it is only valid for the minimum range.

 
Sniffr is often used after attackers intrude the system and is used to collect useful information. Therefore, it is critical to prevent the system from being broken through. The system security administrator should conduct regular security tests on the managed networks to prevent security risks. At the same time, you must control the number of users with considerable permissions, because many attacks often come from inside the network.

3. Antisnff, a tool used to prevent Sniffer attacks

Antisniff is a tool developed by L0pht, a well-known hacker organization (now a security company). It is used to detect whether machines on the local network are in hybrid mode (that is, the listening mode ).

A machine in the hybrid mode is likely to have been intruded and installed with Sniffer attacks. For network administrators, it is important to know which machine is in a hybrid mode for further research.

 
Antisniff 1.x runs on an Ethernet WindOWS NT system and provides an easy-to-use GUI. The tool tests in multiple ways whether the remote system is capturing and analyzing packets that are not sent to it. These test methods are independent of the operating system itself.

 
Antisniff runs on a CIDR Block of the local Ethernet. If the network runs in a non-switched Class C network, Antisniff can monitor the entire network. If the network switch is isolated by the Working Group, an Antisniff is required in each working group. The reason is that some special tests use invalid Ethernet addresses, and some tests require statistics in mixed mode (such as response time and packet loss rate ).

Antisniff is easy to use. In the graphical interface of the tool, select the machine to be checked and specify the check frequency. For tests except the network response time check, each machine returns a fixed positive or negative value. The positive value returned indicates that the machine is in hybrid mode, which may have been attacked by Sniffer.

For the returned values of the network response time test, we recommend that you calculate the standard value based on the values returned for the first time, and then check the machines whose results have greatly changed during the flood and non-flood tests. Once these machines exit the hybrid mode and return to the normal operation mode, the next test of Antisniff records the difference (positive value) between the hybrid mode and the non-hybrid mode ).

Antisniff should be run cyclically. The specific cycle value varies depending on the site, network load, number of machines tested, and website policy.