Malicious sniffing systems detection platform

Among various types of attacks on an Ethernet network, a "sniffing attack" is probably one of the most difficult attacks to handle. Sniffers are programs that allow a host to capture any packets in an Ethernet network, by putting the host's network interface card (NIC) into the promiscuous mode. When a host's NIC is in the normal mode, it captures only the packets sent to the host. Since many basic services, such as FTP and SMTP, send passwords and data in clear text in the packets, Sniffers can be used by hackers to capture passwords and confidential data. This paper presents the design and implementation of two different techniques which can be used to detect any host running a sniffer on an Ethernet network. The first technique, ARP (address resolution protocol) detection, attempts first to send trap ARP request packets with fake hardware addresses, to a suspicious host. Then, based on the generated responses (ARP reply packets) and the operating system (OS) of the suspicious host, a decision is made on whether or not the suspicious host is running a sniffer. The second technique, RTT detection, uses the measurement of the RTT (round-trip time) of ICMP packets sent to suspicious hosts. Then, using a statistical model (the z-statistics) a probabilistic decision is made. The two techniques are implemented in two tools that automatically give system administrator a helping hand regarding the detection of sniffers on an Ethernet network. Related and future works are discussed.