How to stop a sniffer - w/out breaking his nose

[logicalconfusion]

Its easy to analyze network traffic using applications like wireshark and snort if the person is on the same network(subnet) as you. Cable networks are infamous of allowing attackers to intercept traffic since they use a static ip addressing scheme (unlike DSL which is dynamic). Cable bandwidth is shared with everyone in the neighborhood so its relatively easy to pick up packets. Whats the best way to stop a sniffer dead in his tracks on a DSL that doesn't offer ssh as a service? Please don't mention TOR.

[Infiltrator]

It can be very difficult to detect if someone is sniffing your traffic, even if they are not active on the network (generating traffic).

If they are simply standing by and sniffing the traffic passively, it would be almost impossible to tell he is there in the first place.

If he was sniffing the traffic on a local LAN, using methods such as ARP Poisoning, it would be possible to stop him using Layer 3 switch, or ARPWATCH or ARP-ON.

But Ideally, if you don't want to have someone snooping on your traffic or information, you should encrypt it.

Edited January 8, 2013 by Infiltrator

[digip]

Um, get a router, and sit behind NAT? If you have access to the ISP's local subnet to see all customer traffic, thats a problem with the ISP, not so much networking. Comcast has this issue on Business lines but their residential lines don't usually exhibit the same issues. If this truly is a problem, with the ISP you are on, invest in a VPN services in your area.

[logicalconfusion]

The DSL modem that I use has a built-in firewall, which is set to the highest setting. So, its behind a firewall and public IP changes often. I also have a host file setup to block common ads. Now how can I encrypt all the traffic to and from my network, when browsing the internet? Wouldn't the ISP have to support encryption. Is it possible to use SSL all the time?

[digininja]

Can I wind it back a step and ask what you are trying to achieve:

Don't let ISP see any clear text traffic

Protect some traffic

Something else

Whats wrong with Tor?

Need more info.

And I agree with digip, if your ISP (cable or DSL) is acting like a hub and sending your traffic to everyone on your subnet then get off them quickly and chose someone who knows what they are doing.

[logicalconfusion]

Theres FIOS, Cable, and DSL. Cable bandwidth tends to be shared. Unlike DSL, the cable IPs don't change frequently. The only difference is that DSL, FIOS, and 4G type lines are dedicated, so its a 1:1 connection, which means its very hard to sniff traffic since the ISP assigns dynamic public addresses - its NATed. The real question here is how can I encrypt traffic when browsing the web and transferring files directly. I know a VPN would relay encrypted traffic at a price. Is there a safe freeware solution that I can use to block my traffic from the ISP and sniffers? Is it possible to sniff FIOS/DSL connections? I've heard of Open VPN and TOR. TOR is as slow as dial-up, and really isn't safe considering all the FBI exit nodes that already exist. Almost all ISPs sell customer info to to textbook companies for demographic use. Its a known fact.

[digip]

Either buy VPN access, which for me, is like $7/month so thats really cheap, or just register a domain that has shell access, and SSH tunnel, which costs about $120/year. Nice thing about the websites though, is storage to share files, that don't rely on exposing my PC to the internet as a file server. Some hosting accounts also have VPN access as well, depending on who you go with, so there are a combination of ways around things. I have both a VPN and hosting with different people though, and can SSh through the VPN as well, so kind of double layer if I need to, but SSh tunneling over your site can tend to be slower than dedicated VPN access. I can get faster speeds for most things, over my VPN than I can without it, due to how close I live to my VPN host and my ISP caps my upload speeds, but under the VPN, they tend to be faster due to how close I am to it. I just like the VPN service for safeguarding my home IP as well, so its also a security precaution to some extent.

[digininja]

Next question, what are you doing that you need to hide from the FBI if you are worried about them monitoring Tor exit nodes? If it isn't terrorist or drug related I doubt they care.

Just do as digip says, get yourself a VPN service somewhere and set your machine or router to send all traffic through it.

An alternative is to get the free 12 month test account on Amazon EC2 and install yourself a VPN server on that.

[logicalconfusion]

Nothing! its just that TOR is slow - snail slow. Not only that, there's like a negative connotation associated with services like TOR. I shouldn't have to route my traffic to from Zimbabwe to China back to NY just to check the Superbowl. I'll check out the cloud solution....test accnt?

[digininja]

If you use something like FoxyProxy then you can specify which sites go through which proxies, so for checking the scores you would go direct, for doing something you don't want monitoring you take the hit and pass it through Tor or your other proxy.

[GuardMoony]

First of all its true about cable internet. It all passes down the same cable/line. But mostly the isp give you the cablemodem. Witch should be locked by them and should block the sniffing by default. If you want to sniff it you would need hack inside the modems first and then alter to allow all traffic to get to your sniffing box. So the relative easy part isn't that relative easy. Also here they combine the mac address to the abonee so even if you temper with it. They know who to fill the lawsuit to.

[Pwnd2Pwnr]

Well, you won't be too happy when you find out that all of your traffic is catalogued by your ISP. No matter what; they know what you are up to. There are techniques used by these massive companies to collect "marketing" data. They may not save your name to the file; but they sure as hell have tools to know what is "trending"... this means more money for them from their advertisers.

Secondly, the two that are giving you the advice are very knowledgable about these things. I would just follow suit with their suggestions (they haven't steered me wrong yet :D )TOR is ass slow; VPN is a bit quicker; but all in all, there is really no option to "protect" you from illegal activities.

If someone wants it bad enough; they will succeed.

ERP: What about an IDE... at least that would log any "sniffing" activities, right?

Edited January 9, 2013 by Pwnd2Pwnr

[logicalconfusion]

This is all very confusing, as I don't personally snort. I know ISPs collect data to sell to "marketing agencies," its all a part of the fine print. I don't want them to know when I log in to Facebook or who I chat with on the internet. Its none of their business.They can actually read this particular post. We're all shielded by the first amendment so they cant interfere but they can monitor. They have more rights since I'm using their servers and its cyberspace. I'm not naive to think they the feds and state law enforcement agencies can't monitor traffic either. Anonymity on the internet really doesn't exist, even with a proxy and advanced routing techniques. I've heard of a group that got busted a couple of years ago for ripping off ticket master. They set up a large bot net with sophisticated algorithms that can actually decipher captchas! The fools got busted scalping. Anyway, the website and cloud techniques seem pretty interesting. I'll have check my domain service to see if they offer VPN and shell acnts...TOR is just a headache. It wont speed up until millions of people use it.

[bwall]

You can use something like http://firebwall.com to stop ARP poisoning attacks. I develop it with a some other folk as well. It won't protect you outside of your local network.

[logicalconfusion]

Okay, from what I've gleaned so far during my coffee breaks. Theres ARP watch/ARTP on, VPN SSH tunneling, proxies like hidemyass that implement SSL and foxy proxy and Layer 3 swtiches? Hm. Now the hard part is figuring out how to implement it the most efficient techniques....got my research cut out for me.

[digip]

Thing to understand about ARP attacks, they happen at Layer 2 and 3, and require access to your local LAN. You can't ARP poison and MITM a home PC, from the internet using ARP(although you may be able to write something to do it at an IPv6 level, since you're somewhat statically linked to your IPv6 address and hardware ID)

If you are behind NAT like a router -> modem -> ISP, you can't be ARP MITM'ed on your LAN, unless they are ON your lan, which if they are, then you have bigger issues at hand.

You CAN however MITM layer 3 with other tools, that happen OUTSIDE the LAN, with things like SSL strip and some other stuff, so long as you control the router or routing path/DNS the user uses, and you can force them to route through you to the internet at large per say.This requires them to be able to force all your external traffic to run through one of their machines though, and that means DNS poisoning and control of your routing/route setup, which most likely would require a local side exploit first to set this up plus control of your router/firewall/gateway box to set that up.

As far as I know though, even tools like this: http://mitmproxy.org/ still require local LAN access for this type of MITM attack.

[GuardMoony]

digip kinda like what happened in Brasil. The ISP kept the stock passwords on there modems. ( witch had remote login ) and the hackers just ran a script that covered the whole ip range of those isp's and changed the modem dns config to there dns server. Then they just pointed to whatever they wanted. infected adds, fake bank websites, ...

I think they found arround 4.5 milj infected modems! with such an easy hack... think the script was 20lines of code maybe less...

[digip]

digip kinda like what happened in Brasil. The ISP kept the stock passwords on there modems. ( witch had remote login ) and the hackers just ran a script that covered the whole ip range of those isp's and changed the modem dns config to there dns server. Then they just pointed to whatever they wanted. infected adds, fake bank websites, ...

I think they found arround 4.5 milj infected modems! with such an easy hack... think the script was 20lines of code maybe less...

If its an all-in-one modem/router/wifi AP, then yes, most likely that can happen(and does), but with normal routers and modems, stand along modems that aren't also routers and access points, under normal circumstances, can't be accessed by the consumer, other than to see the Diagnostic page at 192.168.100.1 and the only people that should be able to access the modem itself, is the ISP which requires a CMTS. If however, its a dual device, that is also a router, and has remote admin capabilities, then you're foobared if say, you can't access or disable the remote management interface or the ISP locks you out of it. This is why I buy my own modems and routers. You can, jtag a modem and put your own firmware on them to lock out even the ISP from making changes, and also put on other configs, but its also illegal in the US and you can go to jail if you get caught. I have a Linksys sitting in a box that I've been meaning to unbrick because of Comcast applying failed fimrware updates to it and older firmware revisions than what it shipped with, but I haven't had the time to crack it open and solder on the jtag cable nor mess with any of the software to reprogram it. I used to do a lot of reading up on the sbhacker forums, and initially was going to do it to my surfboard when I bought it, but figured since it was new, i would just try fixing the older linksys. The Sufrboard is Docsis 3, so I get the bonded channels and faster speeds anyway, so no need to really mess with it, but the Linksys is Docsis 2.0, but was faster new, out of the box, than speeds I get now due to applied configs by the ISP and firmware changes that throttle my connection.

[logicalconfusion]

You might be able to un-cap, jtag, etc. The bottom line here is that it's their network and equipment. Although they don't have access to your PC/equipment, they have every right to monitor and upload firmware to their devices, which gives them a certain level of control. You're right most cable modems are stand alone and usually not NAT'ed. DSL/FIOS/4g modems are modifiable (firewall, wifi, portwarding, etc), compared to cable DOCSIS modems. Regardless of the modem, all consumer packets/info go through the ISP's network and is usually un-encrypted unless a third party application such as HTTPS everywhere or hidemyass encrypts it. I wouldn't want them to collect and sell info....they don't pay me to enough to participate B). Now the hard part is figuring out a and SSL/VPN/SSH solution that's portable (nix, windows. os x, and droid). hmm....

Edited January 11, 2013 by logicalconfusion

[digip]

OpenVPN client and a config file for your VPN service and you're good to go if you choose a VPN that uses OpenVPN. Throw the client and config on a thumbdrive and away you go. Not sure on portable Linux versions but you can just apt-get install OpenVPN on most every linux distro these days or find compatible packages for yoru distro.

http://sourceforge.net/projects/ovpnp/

Just make sure when on Windows, you run this by right clicking and "Run as Administrator" since it needs access to install a network driver, or it won't be able to do DHCP and ARP cache clearing and DNS setup for the VPN.

[logicalconfusion]

Thats an option. I don't understand how it works. Do you know of any free VPN services that support openvpn?

[digip]

I don;t know of any FREE vpn services that I would use to be honest, let alone ones that offer free access. Free anything on the internet usually has strings attached.

[digininja]

If it is free then you are the product, not the customer.

Just grab a cheap linux VPS and install openvpn on it.

[logicalconfusion]

That's true. Free is just a way for them to pull the old bait 'n switch. This is neat. I wonder how this compares to proxy services like hidemyass. I wish all sites would use https, including hak5!

[digip]

https isn't everything these days. With So many certificate authorities being compromised as well, its 1, very easy to be on band certificates and not know for weeks, to months (happens on Google a lot lately it seems in different parts of the world) and 2, SSl strip and MITM proxies can 1 remove SSl, or 2, completely store and forward data, so the end user doesn't even know that SSl has stopped working in most cases, except when they try serving fake certificates and the browser warns them, 99% of all uses click ok and continue with their surfing.

With respect to computers, the thing is, nothing is 100% guaranteed. If you are looking for 100% security, you're in the wrong field. Its a term, that does not have the same meaning with respect to computers as what it is defined in the dictionary. The most you can ever hope for, is to make it as difficult as possible for your attacker to either give up, and just move on to lower hanging fruits, or keep them at bay as long as possible.