[TriLUG] Promiscuous mode on open network (nc.rr.com)?

Ryan Leathers ryan.leathers at globalknowledge.com
Wed Jul 2 09:54:54 EDT 2003


I hate to always be the naysayer about this sort of thing, so I was
holding off looking for someone else to comment thusly:

The common wisdom is that the network based (not host based) IDS should
be transparent.  When putting the NIC in promiscuous mode you will also
be taking care to not bind an IP address, and obviously there will be no
listening services.  This sort of network based IDS is transparent which
makes it more powerful / dangerous depending on your perspective.  

Consider what could happen if you had an IP address bound to a NIC that
was in promiscuous mode.  The host could be reached, and the NIC would
accept everything on the wire.  This is a rootkit waiting to happen.  I
have in my bag of tricks some binaries for those occasions when I
discover an unauthorized IDS on my network.  One nifty example is a
tcpdump exploit which returns an xterm from the target to my attack
box.  Its accomplished through a buffer overflow of tcpdump.  This
particular exploit is only possible because of the combination of three
factors: tcpdump is running, the NIC is in promiscuous mode, an IP
address is bound to this NIC. Also note that I generally get the xterm
back as root.  (Yes, similar exploits exist for other applications which
use promiscuous mode... and yes the original tcpdump BO exploit was
patched with 3.6.1 but the subsequent BO2 sploit is still zero day to my
knowledge)  The point is DON'T put interfaces you care about in
promiscuous mode unless they are transparent.


The matter of what will be seen on the wire (what a provider filters,
what gets matched, what you care to see) is a separate concern
altogether, but just as important.  This idea got some earlier responses
so I'll leave it alone.

Ryan

On Tue, 2003-07-01 at 10:56, lfwelty wrote:
> Hi all,
> 
> I'm setting up ntop and snort to watch what's coming at (and
> through) my firewall. Their are options to run without enabling
> promiscuous mode on the monitored NIC, but it would be interesting
> to see what's floating by.
> 
> Has anyone done this on their isp's net?
> Or nc.rr.com in particular?
> 
> Did you have any problems?
> Has anyone's isp scanned for nic's in promiscuous mode?
> 
> Thanks,
> 
> F.
-- 
Ryan Leathers <ryan.leathers at globalknowledge.com>
Global Knowledge
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030702/b4c3a300/attachment.pgp>


More information about the TriLUG mailing list