TY - GEN
T1 - Malicious sniffing systems detection platform
AU - Trabelsi, Zouheir
AU - Rahmani, Hamza
AU - Kaouech, Kamel
AU - Frikha, Mounir
PY - 2004
Y1 - 2004
N2 - Among various types of attacks on an Ethernet network, "sniffing attack" is probably one of the most difficult attacks to handle. Sniffers are programs that allow a host to capture any packets in an Ethernet network, by putting the host's Network Interface Card (NIC) into the promiscuous mode. When a host's NIC is in the normal mode, it captures only the packets sent to the host. Since many basic services, such as FTP and SMTP, send passwords and data in clear text in the packets, Sniffers can be used by hackers to capture passwords and confidential data. This paper presents the design and implementation of two different techniques which can be used to detect any host running a Sniffer on an Ethernet network. The first technique, the ARP (Address Resolution Protocol) detection, attempts first to send trap ARP request packets with fake hardware addresses, to a suspicious host. Then, based on the generated responses (ARP reply packets) and the operating system (OS) of the suspicious host, a decision is made on whether or not the suspicious host is running a Sniffer. The second technique, the RTT detection, uses the measurement of the RTT (Round-Trip Time) of ICMP packets sent to suspicious hosts. Then, using a statistical model (the z-statistics) a probabilistic decision is made. The two techniques are implemented in two tools that automatically give system administrator a helping hand regarding the detection of Sniffers on an Ethernet network. Related and future works are discussed.
AB - Among various types of attacks on an Ethernet network, "sniffing attack" is probably one of the most difficult attacks to handle. Sniffers are programs that allow a host to capture any packets in an Ethernet network, by putting the host's Network Interface Card (NIC) into the promiscuous mode. When a host's NIC is in the normal mode, it captures only the packets sent to the host. Since many basic services, such as FTP and SMTP, send passwords and data in clear text in the packets, Sniffers can be used by hackers to capture passwords and confidential data. This paper presents the design and implementation of two different techniques which can be used to detect any host running a Sniffer on an Ethernet network. The first technique, the ARP (Address Resolution Protocol) detection, attempts first to send trap ARP request packets with fake hardware addresses, to a suspicious host. Then, based on the generated responses (ARP reply packets) and the operating system (OS) of the suspicious host, a decision is made on whether or not the suspicious host is running a Sniffer. The second technique, the RTT detection, uses the measurement of the RTT (Round-Trip Time) of ICMP packets sent to suspicious hosts. Then, using a statistical model (the z-statistics) a probabilistic decision is made. The two techniques are implemented in two tools that automatically give system administrator a helping hand regarding the detection of Sniffers on an Ethernet network. Related and future works are discussed.
UR - http://www.scopus.com/inward/record.url?scp=2642549893&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=2642549893&partnerID=8YFLogxK
U2 - 10.1109/SAINT.2004.1266117
DO - 10.1109/SAINT.2004.1266117
M3 - Conference contribution
AN - SCOPUS:2642549893
SN - 0769520685
SN - 9780769520681
T3 - Proceedings - International Symposium on Applications and the Internet
SP - 201
EP - 207
BT - Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004)
T2 - Proceedings - 2004 International Symposium on Applications and the Internet (Saint 2004)
Y2 - 26 January 2004 through 30 January 2004
ER -