GSAL ::
Past Projects ::
Sniffer Detector
Our sniffer detector is designed to detect the use of malicious
sniffers installed on shared networks. These malicious sniffers
constitute a threat to the Internet world, as many protocols currently
used on the Internet are insecure. For example, Telnet and FTP
protocols send passwords over the network in clear text. A sniffer
able to log this information can compromise the security of an entire
network. Indeed, the sniffer's owner can reuse the gathered login and
password pairs to gain unauthorized access.
From a network point of view, a sniffer is passive. Therefore, one
must wait for the sniffer's owner to launch an attack. The problem is
how to differentiate between a normal Telnet session and one started
by an intruder. Our idea is to spread bait that is presumably
especially attractive to the sniffer's owner. Our sniffer detector
then waits for the intruder to use the information bait. Nobody
besides the intruder has knowledge of the information sent out. If
someone makes use of it, the tool recognizes symptoms of an attack and
triggers an alarm.
A prototype has been tested for traffic between IBM Zurich and IBM
La Gaude via IGN (IBM Global Network). In order to apply the sniffer
detector concepts on a larger scale, we invite interested parties to
join our experimentation.
