How can an ISP sniff your network?
Results 1 to 10 of 10

Thread: How can an ISP sniff your network?

  1. #1
    Senior Member
    Join Date
    Jul 2002
    Posts
    167

    How can an ISP sniff your network?

    I have a question and I hope someone in the antionline community can help me out.

    When reading the latest issue of 2600, I noticed the author of the "uncapping your cable modem" article was able to see his ISP sniff his network. I have no doubt that they can monitor all traffic coming in and out of your cable modem. My question is how can you see them sniffing your traffic? I have a sniffer that monitors traffic at my router and all I see is port 53 (DNS) connections to port 1900 on my router. I'm assuming they do this to see if your cable modem is up and accepting connection. If not they take your IP and give it to someone else. Anyone have any ideas on how they do this?

  2. #2
    Gray Haired Old Fart aeallison's Avatar
    Join Date
    Jul 2002
    Location
    Buffalo, Missouri USA
    Posts
    888

    Cool

    Most of that is usually built into the administration software package that the runs their service. Our equipment uses RADIUS NT and SQL Server to handel our dial up customers, our software package is also geared to use Crystal Reports, and any number of external applications like sniffers, loggers, IDS, etc. the list goes on forever. I won't go into my network structure for obvious reasons, but let me assure you that if you are accessing the internet through my equipment, I will have the ability to track your movements anywhere you go. I have never done that before, but I know I can. I hope this helps a little bit anyway, I am sure others here will tell you more precise answers but I thought you might like an ISP's opinion too.
    I have a question; are you the bug, or the windshield?

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    221
    Concerning how you can tell if they are sniffing your network. you can got to command and type in netstat a lone. I did this when i was on my cable modem and it showed me that comcast, who provides my cable modem with service was everywhere in my network. I called them and they said that they do that just to make sure that everything is working properly on your network. So don't be afraid, most of the times the are in there just to see if your network is working properly. That is what i can tell you from my experience. I hope this makes you feel better or feel like you have more privacy. Hope i helped.

    regards

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    I think that it would be very hard to detect someone sniffing traffic on a network, as some packet sniffers can run in promiscious mode, just like IDS's. But I have heard of a product called antisniff that supposedly can detect if someone is sniffing your network.

    Please note that I have never used it, so I cannot tell you much about the product, but anyway, here is a link:

    http://packetstormsecurity.nl/sniffers/antisniff/

    If you do happen to get it working, it would be appreciated if you got back to me and let me know how it worked.
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  5. #5
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    How about "dsniff"...maybe (possibility) they use dsniff to sniffing network cause this tool is powerfull...dsniff is sniffer with ability to handle FTP, Telnet, SMTP, HTTP, POP, poppas, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase and Microsoft SQL authentication info.,,,<<<you can see how powerful they are

    cheerss
    Not an image or image does not exist!
    Not an image or image does not exist!

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Netstat will not help you detect sniffers.

    Sniffers are generally completely undetectable. There was another thread about making them undetectable - it is generally very hard to detect them anyway.

    If you control the upstream traffic (i.e. you are the ISP), it's possible to detect sniffers under some circumstances, but you won't be able to detect your ISP sniffing you.

    An ISP is ideally placed to monitor IP traffic in any way it sees fit. It doesn't need ethernet "sniffers" in promiscuous mode to do this because all the traffic goes through its routers anyway - it can just instruct the routers to send copies of packets to a given destinatinon.

    Anyone who says they can see their ISP sniff the network is lying. ISPs can do this easily and without any possibility of detection.

  7. #7
    Junior Member
    Join Date
    Aug 2002
    Posts
    1
    Originally posted here by SoggyBottom
    I think that it would be very hard to detect someone sniffing traffic on a network, as some packet sniffers can run in promiscious mode, just like IDS's. But I have heard of a product called antisniff that supposedly can detect if someone is sniffing your network.

    Please note that I have never used it, so I cannot tell you much about the product, but anyway, here is a link:

    http://packetstormsecurity.nl/sniffers/antisniff/

    If you do happen to get it working, it would be appreciated if you got back to me and let me know how it worked.
    I use AntiSniff on a regular basis and it is rather simple to operate. The majority of the NIDS and some of the HIDS will pick up this activity, though it will look more like a PingFlood to some, to others it will appear as Covert Packet Tunneling Alerts. If you think that your ISP is sniffing your home network, try getting (if you don't have one already) an IDS of some sort. Snort is one that comes to mind as being a free one (haven't used it yet) and for most IDS' it is just a simple mod to the policy. Hope this helps.
    Diplomacy is the art of saying \'Nice doggie\'...until you can find a rock

  8. #8
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I am wanting to say that AntiSniff can only work for computers off of the same network, maybe even so far as the same switch (I am wanting to say that it works by doing some stuff at the MAC level trying to determine if a card discarded a frame/packet or accepted it (if it accepts it and wasn't destined for the card, you have a card in promiscous mode)). If the ISP is a few hops away, AntiSniff may not notice anything at all...

    And as far as Snort or any other NIDS goes, think again, sniffing is passive, unless you had direct access to the switch that a NIDS is plugged into, you will never know it is there. The use of stealth setups (no IP, no ARP on the interface, it is just up and listens to traffic mirrored to it, and it is monitored by another NIC on some other network), will make it very difficult to detect, if not impossible, especially if you aren't on that same network.

    Or at least, that is my understanding.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Try this:-

    http://www.robertgraham.com/pubs/sniffing-faq.html

    It should give you a few ideas.

    OTOH - what's the point - of course they are monitoring....

    They have already been embarrassed by reports that they were maintaining data on our virtual travels and have promised that they have stopped that practice. The simple fact is though - as someone who monitors and sniffs a 650 user network 24 hours a day - it's their network and they can do with it as they please. If you don't want others knowing what you do on the internet go to the library and sign in with a false name and address..... Unless you have your own connection directly into the internet backbone and manage that connection yourself you will always be monitorable by the entities in between.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    slarty and tigershark post good replies on this. The simple solution is to use a false id or borrow someone's "common login", which is like a public id of sorts. Failing to trust your isp with your traffic can be a concern but what is your option otherwise?
    Switch to another if you believe they are not acting in good faith.
    Trappedagainbyperfectlogic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •