[ale] NFR

Russell Enderby Russell.Enderby at arris-i.com
Thu Sep 2 09:59:53 EDT 1999


People have been recommending NFR on here so I thought it was prudent to
post this as grabbed from the NFR web site:

=== CUT HERE ===

The performance of NFR on Linux will be poor on any hardware when
compared to NFR on BSD-based systems on the same hardware.  Linux does
not use the
     BPF.  The libpcap library uses another method to extract packets
from the kernel on Linux.  The code for this method does not appear to
be written with
     performance in mind.  Programs such as NFR, which use libpcap to
read packets from the interface in promiscuous mode, will experience
significant packet
     loss on any network that sees traffic of several megabits per
second or more.
     Linux does not properly handle interfaces in promiscuous mode.  It
fails to it fails to distinguish packets addressed to it from packets
addressed to other
     machines. This means that you can subvert the Linux system in
various ways:
          Other systems on the network can detect Linux based sniffers
by looking for responses to requests sent to the wrong MAC address.  The
Apostols Web
          page (http://www.apostols.org/projectz) (in Spanish) describes
the exploit.  The source code for the exploit program contains comments
and error
          messages in English.
          On an NFR that is multihomed, someone could use the flaws in
Linux to route traffic from the promiscuous interface to other
interfaces.

     This is a serious bug in Linux.  Even if you run your NFR in
stealth mode, someone can exploit this Linux flaw and possibly attack
your machine and route
     traffic through your machine.

=== END CUT ===

Has this been fixed in the 2.2 kernel?  I noticed no mention of Red Hat
higher than 5.x on their site so I am wondering if it is obsolete.

Russell


--
Russell T. Enderby                                        Arris
Interactive
Software Engineer                                         3871 Lakefield
Dr, Suite 300
Cornerstone Software Development Group   Suwanee, GA 30024-1242
Email: Russell.Enderby at arris-i.com






More information about the Ale mailing list