[ale] NFR
Russell Enderby
Russell.Enderby at arris-i.com
Thu Sep 2 09:59:53 EDT 1999
People have been recommending NFR on here so I thought it was prudent to
post this as grabbed from the NFR web site:
=== CUT HERE ===
The performance of NFR on Linux will be poor on any hardware when
compared to NFR on BSD-based systems on the same hardware. Linux does
not use the
BPF. The libpcap library uses another method to extract packets
from the kernel on Linux. The code for this method does not appear to
be written with
performance in mind. Programs such as NFR, which use libpcap to
read packets from the interface in promiscuous mode, will experience
significant packet
loss on any network that sees traffic of several megabits per
second or more.
Linux does not properly handle interfaces in promiscuous mode. It
fails to it fails to distinguish packets addressed to it from packets
addressed to other
machines. This means that you can subvert the Linux system in
various ways:
Other systems on the network can detect Linux based sniffers
by looking for responses to requests sent to the wrong MAC address. The
Apostols Web
page (http://www.apostols.org/projectz) (in Spanish) describes
the exploit. The source code for the exploit program contains comments
and error
messages in English.
On an NFR that is multihomed, someone could use the flaws in
Linux to route traffic from the promiscuous interface to other
interfaces.
This is a serious bug in Linux. Even if you run your NFR in
stealth mode, someone can exploit this Linux flaw and possibly attack
your machine and route
traffic through your machine.
=== END CUT ===
Has this been fixed in the 2.2 kernel? I noticed no mention of Red Hat
higher than 5.x on their site so I am wondering if it is obsolete.
Russell
--
Russell T. Enderby Arris
Interactive
Software Engineer 3871 Lakefield
Dr, Suite 300
Cornerstone Software Development Group Suwanee, GA 30024-1242
Email: Russell.Enderby at arris-i.com
More information about the Ale
mailing list