Sniffer greatest danger is that it is difficult to be found in the single case found a Sniffer is relatively easy, you can view the currently running a computer program to achieve all, of course, not always reliable.
1. How to find Sniffer
In UNIX systems can use the following command: ps-aux. This command lists all current process, the user starts the process, they take up much CPU time and memory occupation and so on.
In Windoos system, you can press Ctrl + Alt + Del keys, see the task list. However, even if the programming techniques Sniffer is running high, it will not appear here.
Another way is to search for in the system, find the file may be suspected. However, an intruder could use to write their own programs, so this result to find that very difficult Sniffer. There are many tools can be used to check your system will not be in promiscuous mode, to see whether there is a Sniffer is running. However, circumstances in the network to detect Which one host is running Sniffer is very difficult, because the software Sniffer is a passive attack, it does not send packets to any host, but only quietly running, waiting to capture After the data packet.
2. Resist Sniffer
Although it is very difficult to find a Sniffer, but we still have the means to resist Sniffer sniffer attacks. Since the Sniffer to capture our confidential information, that we just caught it, but prior to such information is encrypted, the hacker even capture our confidential information, can not decrypt, so, Sniffer lost a role.
Hackers use Sniffer to capture the main Telnet, FTP, POP3 and other data packets, as these agreements in order to clear the Internet transmission, we can use a security protocol known as SSH and so easy to replace Telnet Protocol Sniffer attacks.
SSH also known as Secure Shell, which is provided in the application of a secure communication protocol, based on client / server model. SSH server is assigned port is 22, the connection is through the use of a set up from the RSA algorithm. The authorization is completed, the next communication data is encrypted using IDEA technology. This encryption method is usually more powerful, for any non-confidential and non-classical communication.
SSH has since developed into F-SSH, provides a high-level military-level encryption of the communication process. It is through TCP / IP network communication provides the most common encryption. If a site uses F-SSH, the user name and password are no longer important. Currently, no one has been breached in this encryption method. Even Sniffer, collected information will no longer be valuable.
Interested readers can see with the SSH-related books.
Sniffer attack against another is to use safety topology. Because only Sniffer Ethernet, token ring network such as work, so try to use the network switching equipment from the maximum to prevent eavesdropping by Sniffer packet is not his own. There is also a principle for the prevention of Snther passive attack a network segment must have enough reason to trust the other network segment. Network segment should consider the specific relationship of trust between the data onto the design, rather than from the hardware needs of the design. A network segment can trust each other only by the computer component. Usually they are in the same room, or in the same office, it should be fixed at a certain part of the building. Note that each machine is hard-wired cable to the hub through (Hub), the hub and then received the switch. As the network segmentation, and data packets can be captured in this segment, the rest of the segment will not be listening.
All of them comes down to trust the above. Computer and other computers to communicate, it must trust that computer. System administrator's job is to determine a way to make a small trust relationships between computers. Thus, the establishment of a framework to tell you when to put a Sniffer, it is placed where, who put in more.
If the LAN and the Internet to be connected, only using a firewall is not enough. Intruder has been scanned from behind a firewall and detection services are running. Should be concerned that, if an intruder into the system, he can get something. You have to consider such a path, that is, how long the trust relationship. For example, suppose your Web server A computer is trusted, then how many computers are A trusted? How many computers are affected by these computers be trusted? Word, is to determine the relationship between the minimum trust that computer . Trust relationship, this computer at any one computer may attack your computer and successfully. Your task is to ensure that the event of a Sniffer, it is only on the minimum effective.
Sniffr often at the attacker after the invasion of the system used to collect useful information. Therefore, to prevent the system is critical breakthrough. System security administrator to be regular on the management of network security testing, to prevent security problems. Also has considerable authority to control the number of users, because many attacks are from within the network.
3. To prevent the Sniffer tool Antisnff
Antisniff is well-known hacker organization (now the security company a) L0pht development of tools for detecting whether the local network machine into promiscuous mode (ie, monitor mode).
A machine in promiscuous mode meaning it may have been the invasion was installed Sniffer. For network administrators, to understand what the machine is in promiscuous mode for further investigation is very important.
Antisniff 1.X version running on Ethernet WindOWS NT systems, and provides easy to use graphical user interface. Test the tool in various ways whether the remote system is not capturing and analyzing those data packets sent to it. These test methods with the operating system itself.
Antisniff a run on the local Ethernet segment. If the non-switched network C-class running, Antisniff can monitor the entire network; If the network switch to isolate the Working Group, each working group will need to run a Antisniff. Because of some special tests used invalid Ethernet address, also need some mixed mode test statistics (such as response time, packet loss rate, etc.).
Antisniff usage is very simple, graphical interface, the tool needs to be checked to select the machine, and specify the inspection frequency. In addition to network response time for inspections, testing, each machine will return to a certain positive or negative. Back to the positive value indicates that the machine is in promiscuous mode, which may have been installed Sniffer.
The network response time testing the return value, recommended the return of the first numerical standard value, and then again twice in the flood and non-flood when the returned results Ceshi greatly change the machine to be checked. Once these machines out of promiscuous mode to return to normal operation mode, Antisniff's next test will be recorded in mixed mode and non-promiscuous mode of the difference (positive).
Should periodically run Antisniff, the value of the specific period depending on the site, different network load testing machine number and Web site strategies are different.