1

I am learning some concepts of network security and I have the following question:

One case of eavesdropping attack is that an adversary somehow places himself inside a network to order to capture the communication traffic between two hosts. In the case, how could the adversary place himself inside this network without being observed by Intruder Detection Systems or any kind of detection systems?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Michael
  • 403
  • 2
  • 9
  • network cards in listen mode do not send packets, so can't be detected - also, existing machines are allowed, and can simply listen to traffic – schroeder Dec 09 '15 at 19:31
  • 1
    Your question is very broad. The short answer is that IDS isn't 100% and is never going to be 100%. Security isn't just a product that you can buy, like an IDS. IDS might help to some degree, but its utility is limited. – Steve Sether Dec 09 '15 at 20:47

2 Answers2

0

The possibilities of how this can happen are manifold. An attacker will need control of a single computer within or just outside the network. Depending on the network, it might be possible to sniff significant parts of the traffic. It is difficult to detect passive network sniffers. An IDS might detect tries to exfiltrate the sniffed data, but the details of what's detected or not are highly specific to the IDS that's used.

Furthermore, if the attacker manages to place themselves in an privileged position just outside of the systems protected by the IDS, it will basically be undetectable.

To give you a better grasp of how this might work, here is a not-so-contrieved example of passive eavesdropping: Imagine a data center where anybody can by rent a place for their server. Now assume that the network hasn't been setup properly, leading to traffic being randomly sent to the wrong machines (yes, that happens). Those packets could be sniffed by other servers in the data center; no IDS would detect this kind of eavesdropping as it is done outside of the responsibility of the IDS. The attacker would not be able to see all traffic to and from their target, but sensitive data could be sniffed regardless.

tarleb
  • 1,200
  • 9
  • 22
-1

That is not possible. If an adversary captures a machine in the network, a software can listen on any traffic of that machines networking device. Hence, all traffic from and to that machine is compromised.

If an adversary can place a new machine under his control on the network, it still can only grab the traffic that somehow crosses the networking card of that device. Interacting with the network in any way may reveal the attack to an intrusion detector, so interacting with the network is not an option.

With pure listening there are two cases:

1. a hub is used

Since hubs simply broadcast all packets, all traffic that crosses the hubs wich an adversary is connected to, is compromised.

2. a switch is used

Switches do not broadcast traffic. In this case, an adversary could not grab any traffic without interacting with the network (what might reveal the attack). This is why switches are used in most places where security does play any role.

If the hub/switch/router in the network can be controlled by an attacker, all data crossing that hub is compromised, obviously. Depending on the size and infrastructure of that network, a lot of sensible data could be compromised this way.

TL;DR: on modern networks that transport sensible information, this is impossible.

P.S.: Intrusion Detection is also only software. And software has bugs. So knowning what firewall / detection software is in used in the target network will allow for some ways to interact with the network. Which traffic can be compromised in such a case is unpredictable. Same goes for capturing a network knot (hub/switch/router): if that can be done without detection an attacker will have access to a broad scale of data on that network.

marstato
  • 2,237
  • 14
  • 11