Latest Threat Research: Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware Attacks

Get Informed


Guide to Sniffing Attacks

A sniffing attack is a process of illicitly capturing and decoding data packets that pass through a network. This type of attack is normally used to harvest banking information, login credentials or to perform identity theft. The Network Interface Card (NIC) that is installed on most computers is set by default to ignore traffic that is not addressed to it. Sniffing attacks involve turning the NIC to promiscuous mode, which enables the NIC to receive any and all traffic on the network. System administrators will do this to troubleshoot or analyze a network, while criminals abuse this technique to perform attacks. By decoding the information captured by sniffing, attackers can read all traffic on the network. There are two types of sniffing – active and passing:

  • Active sniffing involves injecting address resolution protocols (ARPs) into a network to flood the switch content address memory (CAM) table, which redirects legitimate traffic to ports that the attacker controls to sniff the traffic. The CAM table on a switch has limited memory to keep track of which computers are connected to each port of the switch; when the memory fills up, the switch has to start sending all network traffic to all ports.
  • Passive sniffing involves only listening and is implemented in networks connected by hubs, which send all network traffic to all hosts by default.

Analyst Notes

While sniffers can go undetected for long periods, this can lead to large amounts of information being stolen. Some measures of defense include:
• Perform routine monitoring of networks and systems for malicious sniffing.
• Do not connect computers to public or untrusted Wi-Fi networks, because attackers can use public hotspots to capture large amounts of data at once.
• Encrypt all data that is sent from computers, especially emails and critical data.
• Monitor and detect failure conditions on network switches that result in CAM table memory filling up, and investigate the cause to determine if an attacker is using an active attack to capture network traffic.