Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 586
  • Last Modified:

Dsniff

Is Dsniff really good at sniffing switched networks without having to use a port on a switch? I am trying to harden the internal network security and I was reading about dsniff and it's ability to redirect traffic as if it were the gateway. I want to try and reproduce this result to see how easy some rogue user could do it, then take countermeasures to prevent this kind of attack.
thanks in advance
0
vcon13
Asked:
vcon13
3 Solutions
 
chris_calabreseCommented:
Yes, dsniff can do this through an ARP Cache Spoofing Attack.

This works by flooding the switch with sppofed ARP replies, which overflows the switch's list of what MACs are associated with which port, forcing it to act like a hub instead of a switch, at least within a single VLAN.

Countermeasures include:
1. Encrypt all traffic so confidentiality attacks just don't work
2. Assign each user their own private VLAN. Yes, this is possible and some extremely security-sensitive (mostly government) organizations have actually done this.
3. Implement real-time detection and response (port shut-down) for such attacks
0
 
ravenplCommented:
Some switches are smarter than others, and are aware of APR cache overloading. You may set max MAC addresses per port on them.
0
 
kevinf40Commented:
Hi

Chris_calabrese I could be mistaken, but I think you have described ARP / MAC flooding, which will do exactly what you suggest.  I could be wrong, but I think that in order to perform a man in the middle attack tools like dsniff and 'Cain and Abel' use ARP poisoning.  They take advantage of the fact that many devices update their ARP tables each time they receive an ARP 'reply'.  Thus you just need to keep sending false ARP replies to the router / switch so the desired traffic goes via your sniffing box without the need to flood the switch and degrade overall performance.

Agree completely with your countermeasures though.

Additional countermeasures vcon13 could consider (depending on the size of your network):

Implement port security on your switches - for example by maintaining a MAC address database linking a MAC to a port.  This has the added benefit of preventing any non approved devices from being attached to the network in addition to preventing a machine spoofing another MAC address.

On a small network you could implement static IP addressing and static ARP entries - although this is hard to maintain.

Monitoring for possible arp spoofing attacks can also be a useful defense look at a tool such as ARPwatch (http://www.securityfocus.com/tools/142) - this will however require some tuning to prevent false positives especially if your environment uses DHCP - ARPwatch maintains a list of IPs and their associated MAC address.

Some Network intrusion detection / prevention devices may also be able to monitor for potential ARP spoofing attacks.

cheers

K
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now