1. How to find Sniffer
Sniffer greatest risk is that it is difficult to be found in the single case found a Sniffer is relatively easy, you can view currently running on the computer to implement all programs, of course, not always reliable.
In UNIX systems can use the following command: ps-aux.This command lists all of the current process, the user starts the process, they take up much CPU time and memory occupation and so on.
In Windoos system, you can press Ctrl + Alt + Del keys, view the task list.However, even if the programming skills Sniffer is running high, it will not appear here.
Another way is to search for in the system, find the files may be suspected.However, an intruder could use to write their own programs, so it Sniffer to find cause considerable difficulties.There are many tools can be used to view your system will not be in promiscuous mode, so that if there is a Sniffer is running.However, the case in the network to detect the host is running Sniffer Which one is very difficult, because the Sniffer is a passive attack software, it does not send packets to any host, but only to run quietly, waiting to captureAfter the data packet.
2.Against Sniffer
Although found a Sniffer is very difficult, but we still have a way to resist Sniffer sniffing attacks.Since our Sniffer to capture confidential information, that we just caught it, but prior to encrypt this information, hackers, even if the capture of our confidential information, can not decrypt, so, Sniffer will lose the effect.
Hackers use Sniffer to capture the main Telnet, FTP, POP3 and other data packets, because these protocols transmit in clear text on the Internet, we can use a security protocol called SSH instead of Telnet and other protocols likely to be Sniffer attack.
SSH also known as Secure Shell, which is provided in the application of a secure communication protocol, based on client / server model.SSH server allocated port is 22, the connection is through the use of a set from the RSA algorithm.The authorization is completed, the next communication data encrypted with the IDEA technology.This encryption method is usually relatively strong, suitable for any non-confidential and non-classical communication.
SSH has since developed into F-SSH, provides a high-level military-level encryption of the communication process.It is through TCP / IP network communication provides the most common encryption.If a site uses F-SSH, the user name and password are no longer important.Currently, no one has breached this encryption method.Even Sniffer, the collected information will no longer be valuable.Interested readers can see with the SSH-related books.
Sniffer attack against another is to use the secure topology.Only because Sniffer Ethernet, Token Ring and other network works, so try to use the network switching equipment from the maximum extent to prevent eavesdropping Sniffer packet is not his own.There is also a principle used to prevent Snther passive attack on a network segment must have a sufficient reason to trust the other network segment.Network segment specific data should consider the trust relationship between the design up, and not from the hardware needs of design.A network segment can trust each other only by the computer component.Usually they are in the same room, or in the same office, should be fixed in a certain part of the building.Note that each machine is hard-wired cable to the hub through (Hub), the hub and then to the switch fabric.As the network segment, the data packets can be captured in this segment, the rest of the segment will not be listening.
All the above problems are attributed to the trust.Computer and other computers to communicate, it must trust the computer.System administrator's job is to decide on a method of making the trust relationship between the small computer.Thus, to establish a framework to tell you when to put a Sniffer, where it is, who put in more.
If the LAN and the Internet to be connected, just use a firewall is not enough.Intruder has been scanned from behind a firewall, and to detect running services.Should be concerned about is that once an intruder into the system, he can get something.You must consider such a path, that is how long the trust relationship.For example, if your Web server A computer that is trusted, then the number of A trusted computer is it?How many computers are affected by these computers trust it?In short, the trust relationship is to determine the minimum that computer.Relationship of trust, before any of this computer may be a computer attack on your computer and successfully.Your task is to ensure that the event of a Sniffer, it is only effective on the minimum range.
Sniffr often the attacker after the invasion of the system used to collect useful information.Therefore, to prevent the system is a breakthrough is critical.System security administrator to be a regular on the management of network security testing, to prevent security risks.Also has considerable authority to control the number of users, because many attacks often come from within the network.
3.Antisnff Sniffer tool to prevent
Antisniff by well-known hacker organization (now the security company a) L0pht development tool for the detection of local network if the machine is in promiscuous mode (ie, monitor mode).
A machine in promiscuous mode means that it is likely to have been invaded and installed a Sniffer.For network administrators, know which machine is in promiscuous mode for further investigation and study is very important.
Antisniff 1.X version running on the Ethernet WindOWS NT systems, and provides easy to use graphical user interface.The tool tests the remote system in various ways to capture and analyze whether they are those who do not send packets to it.The test method has nothing to do with the operating system itself.
Antisniff a run on the local Ethernet segment.If the C class of non-switched network running, Antisniff can monitor the entire network; if the network switch to isolate the Working Group, each working group will need to run a Antisniff.The reason is some of the special test with an invalid Ethernet address, the other needs some mixed mode test statistics (such as response time, packet loss rate, etc.).
Antisniff usage is very simple, graphical interface of the tool, select the machine needs to be checked, and specify the inspection frequency.In addition to network response time for inspections, testing, each machine will return to a certain positive or negative.Returns positive value indicates that the machine is in promiscuous mode, which has probably already been installed Sniffer.
Testing network response time for the return value, it is recommended according to the first return to the standard numerical value, and then again twice in the flood and non-flood test results returned by major changes in the machine to be checked.Once these machines out in promiscuous mode to return to normal operation mode, Antisniff's next test will be recorded in promiscuous mode, and the difference between non-promiscuous mode (positive).
Should periodically run Antisniff, the value of the specific period depending on the site, different network load testing machine number and Web site strategies are different.