Skip to content

November 5, 2010


Firesheep Detection and Defence with FireShepherd [and BlackSheep]

When Firesheep intercepts a valid session cookie for the sites it supports, it automatically makes its own request to that site using that session. Just as the Firesheep user can intercept network traffic over wifi, so can the normal users, so this behaviour means that Firesheep itself is detectable.

By transmitting a request to Facebook, Twitter or Google with a fake session ID, and monitoring the network using Wireshark, it is possible to look for follow-up connections from another host, using your fake session ID. By performing this ‘reverse attack’ on loop, it’s possible to flood the attacker’s Firesheep window with tons of invalid sessions. Note that this doesn’t protect you entirely, and any valid login to these sites will still be intercepted by Firesheep. But it’s possible to detect whether a Firesheep user is on the network.

Someone has released FireShepherd (currently Windows only), a tool that automates the flooding of invalid sessions, supposedly temporarily killing Firesheep running on the local network. Note that FireShepherd doesn’t detect the presence of Firesheep on the network.

[Updated] BlackSheep, a Firefox plugin, has been released which alerts the user if Firesheep is in use on the network. It does this using the method described above.

1 Comment Post a comment
  1. To continue with your last line: it is possible to detect Firesheep with the Bro IDS:

Share your thoughts, post a comment.


Note: HTML is allowed. Your email address will never be published.

Subscribe to comments