Packet Sniffing

A network sniffer, or packet sniffer, is an application that captures all traffic traveling past a network interface attached to some network. Packet sniffing is useful for network troubleshooting and software developers; however, it can also be used to eavesdrop on unencrypted traffic (unencrypted email, Web packets, IM, and more).

When people communicate via IM, they do not realize their communication is probably hopping around numerous times through various networks and routers. On any network segment along this path, someone can use a packet-sniffing tool to intercept such communications. However, scanning through a large number of packets to extract something useful is very difficult. Thus, attackers also employ communication filters, software to detect and identify specific types of communication currently underway.

When attackers get access to some wire, they attach a network device to that network segment. Next, they install a communication filter to capture packets that contain specific strings or patterns, such as the "password" keyword. If a pattern in the filter matches traffic from the wire, that packet is recorded for subsequent analysis.

Flat, unswitched local area networks are particularly vulnerable to sniffing attacks because every packet traveling between two hosts is broadcast to all nodes on the network segments to which each host belongs. Thus, a sniffing device or program could be connected to any port or installed on any machine on the same segment. A few years ago, switching technology became sufficiently inexpensive to be widely accepted as a standard LAN building block. In many installations, switches replaced broadcast hubs and were used to micro-segment LANs into numerous virtual segments. Switches also establish point-to-point channels between pairs of hosts as they initiate conversations. This alleviates the problem of sniffing but does not eliminate it completely (especially if attackers can access the switch itself).

In the real world it is at least difficult, if not impossible, to gain access to ISP facilities and install sniffers there. Therefore, the biggest source of sniffing threats stems from LANs and public facilities. Cable modem technology is particularly prone to sniffing-based attacks, because all users on a cable segment can see (and therefore sniff) all traffic on that segment. Companies or organizations that support remote access for cable modem-based users should definitely use more secure implementation, preferably those based on IPSec.

Because so much information used in popular messaging software now takes the XML format using the HTTP protocol, traffic vulnerability to sniffing is actually on the rise. The latest trend is to convert everything to XML formats. Unfortunately, this also means that using HTTP without SSL or TLS is tantamount to sending information in clear text from the hacker's perspective. This explains why sniffer attacks are both insidious and potentially very dangerous because they can decode and reveal lots of sensitive information.

To prevent information leaks, you can't rely on communication programs that use no encryption mechanisms; you must use IPSec or VPN solutions to secure communications both on the local network and for all remote access. If IM services are deployed for business purposes, use applications similar to Microsoft Exchange Server 2000, which enables you to operate your own IM server that might or might not interact with the rest of the world. As a matter of security policy and user education, users should also be coached on which types of communication and file transfer are appropriate using IM outside organizational boundaries—if indeed such use is permitted at all.