International Journal of Computer Information Systems, Vol. 3, No.

3, 2011

Techniques to Abolish The Effect of Sniffer Existing in The Network

Amit Mishra Department of Computer Science & Engg., Faculty of Engineering & Technology Jodhpur National University Jodhpur, India mishranamit2211@gmail.com
Abstract In the present environment, the computer network is an essential requirement for an organization. It may be used to share data, resources etc., but it also introduces some unwanted activities like data theft, hacking etc. Sniffing is a major threat to computer networks and web application. In an EthernetNetwork, Every device connected to the network receives all the data that is passed on the segment. By default the network card processes only data that is addressed to it. However listening programs turn network card in a mode of reception of all packets called promiscuous mode. So, a sniffer is a special program or piece of code that put the Network Interface Card (NIC) in the promiscuous mode. When NIC works in promiscuous mode, the user of that system can steal all the data including password etc. without generating any traffic. Any network system running the sniffer can see all the data movement over the network. Many sniffers like wireshark, Cain & Abel, ethersniff etc. are available at no cost on the internet. There are many proposed solutions available for the detection of network sniffing including Antisniff [1], SnifferWall [2], Sniffer Detector [3] etc. But all the solutions do not guarantee full protection against Sniffing [4]. Here in this paper we are discussing the Sniffing and some Techniques to abolish the effect of Sniffer existing in the network. Some Sniffer Prevention methods are also discussed in brief in this paper.

NIC in Promiscuous Mode

Figure 1. NIC working in Promiscuous Mode

There are many popular sniffers, which are available for free on the internet, as listed below: Wireshark Kismet Tcpdump Cain and Abel Ettercap EtherApe

Keywords- network sniffer; ethernet; LAN; ARP; SSH; ping

II.

SNIFFER PREVENTION METHODS

I.

INTRODUCTION

Computer networks are the backbone of an organization. In most of the cases, any organization that is using network depends on the Ethernet technology. In a hub based Ethernet network, when the source wants to send a data packet to destination it broadcasts the message on to the network. Then this packet moves to all the computers connected in the network. Each machine is supposed to ignore the packet if it is not destined for the Internet Protocol (IP) address assigned to that computer/machine. The network interface card (NIC) performs this filtering operation. The packet sniffer is a program that puts the NIC in a special mode called promiscuous mode. In this mode, the NIC does not perform the filtering operation and passes all the received data to the operating system for further processing [3]. The sniffer in the network can be shown in Fig.1.

There are some basic methods that can be used for the prevention of Sniffing. . Encryption is a basic prevention method for sniffing, because if a sniffer program hacks encrypted data, it will not be able to decrypt that data and it will not be useful for any purpose. The following methods can also be used for prevention A. One Time Password A One Time Password (OTP) is valid for only one login or transaction. So if intruder or hacker has sniffed the password, he or she will not be able to use that password since it will be no longer valid. We can generate OTP using timesynchronization, mathematical algorithm or mathematical algorithm where the new password is based on a challenge and a counter.

Special Issue I

Page 19 of 55

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 3, 2011 B. Secure Shell (SSH) It is basically a network protocol that uses a secure channel for data transmission. If we are using a secure channel between two network devices, then the encryption used by SSH will provide confidentiality and integrity of data over an unsecured network. So data sniffed by sniffer will not be useful for it. III. TECHNIQUES TO ABOLISH THE EFFECT OF SNIFFER

The Sniffer does not have strong implementation of TCP/IP protocol as compare to the machine actually communicating in the network. Most of the sniffers work on the data link layer. The sniffer collects all the data link frames but it does not have any information about how that frame will be interpreted. It may guess the actions of the kernel of receiving machine after getting a particular frame. So on the basis of these concepts following techniques can be used as anti-sniffing techniques in network when the detection and prevention of sniffer is not completely possible. A. The Design of The Sniffer It is a basic and simple technique against the sniffer. Most of the sniffers are designed to follow a particular connection and it ignores everything else till the connection is alive. So before the actual connection, we send a spoofed or fake SYN packet from a non existent machine to the same port of the actual connection. If the Sniffer is listening, it gets the SYN packet and it sets up its internal states to monitor all the packets for that particular (fake) connection. So when we try to connect our actual host, the sniffer ignores this activity because it is monitoring the fake host. So in this way we can mystify the Sniffer existing in the network. B. Invalid Sequence Number In a TCP connection, sequence number is used to determine the amount of data that has been sent and the order of the data that has been sent. Mostly Sniffer does not maintain or keep track of sequence numbers for a TCP connection. So we can insert some packets with invalid/fake sequence number into the data streams of ongoing TCP connection to confuse the sniffer. The kernel of actual machine participating into the connection will discard these types of packets but the sniffer will treat them as valid packets. So when it will reassemble the data using packets it will not be of any use due to the invalid data packets [5]. The TCP packet format can be shown in Fig.2. We can see there are two control flags called FIN and RST. The FIN indicates the beginning of shut down process and RST indicates the immediate termination of connection. If we send a packet with FIN flag set, it indicates that there is no more data available at sender side for transfer and RST shows the reset connection. If the sequence number of a data packet, with FIN or RST set, is far away from the current range of sequence

Figure 2.

TCP Packet Format

numbers expected by the kernel, then the kernel will ignore this packet but the sniffer will treat it as a connection terminate request or connection reset request. In this way we can confound the working of sniffer and get the protection from the sniffer.

C. Desynchronization If there is an intelligent sniffer in the network, then it will keep track of the sequence numbers. In this case the previous method will not be effective. Due to this reason we will use the SYN control flag of TCP packet. To implement this solution we will send a SYN packet in our data transmission with a different sequence number but with all the same conditions or parameters as set previously with the target host. The target host will ignore this packet because it will reference to already established connection, but sniffer will resynchronize its sequence number to this new sequence number [5]. Now if we send our data using our original sequence number then the sniffer will not regard this packet because it is waiting for a different/fake sequence number. In this way we can secure our original data from the sniffer. But it is necessary to mention that the success rate of this method depends on the nature and type of the sniffer.

IV.

CONCLUSION

In this way it can be concluded that network sniffing is a major problem for computer networks. Some survey reports tell us that 95% of data theft, hacking etc. is done by the internal staff of an organization. So sniffing becomes more dangerous in this case. Sniffer detection and prevention methods can be used against the sniffers present on the network. The performance of all the possible solutions described here also depends upon the support from the kernel. The kernels

Special Issue I

Page 20 of 55

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 3, 2011 response is an important factor in all the cases. All the methods described here may not work with 100% efficiency because the whole paradigm is changing very frequently and the hackers and intruders are discovering new methods for the intrusion. In the similar way new methods should be discovered for security.

REFERENCES
[1] [2] [3] http://www.securitysoftwaretech.com/antisniffing, (2004). H. M. Kortebi AbdelallahElhadj, H. M. Khelalfa, An experimental sniffer detector: Snifferwall, (2002). Thawatchai Chomsiri, Sniffng packets on lan without arp spooffing, Third 2008 International Conference on Convergence and Hybrid Information Technology(2008). Amit Mishra, Loopholes in Secure Socket layer and Sniffing, International Journal of Computer Science and Information Security, Vol. 9, No. 5, May 2011 pg. no.81-84 Horizon, Phrack Magazine Volume 8, Issue 54, 1998

[4]

[5]

AUTHORS PROFILE

Mr. Amit Mishra is working as an Associate Professor in Faculty of Engg. & Tech., Jodhpur National University Jodhpur. His research Intrests include Information Security, Nework and Protocols and Data Hacking Analysis.

Special Issue I

Page 21 of 55

ISSN 2229 5208