More and more transactions are per-formed online. Thus, a secured connection has to be ensured be-tween the server and the client. However, connection mainly re-quires just a server authentication.

The client identity is not checked, which allows at-tacker to intercept the communication and imper-sonate the user. This kind of attack is a Man-in-the Middle attack. This name is derived from basketball in which a player tries to intercept the ball that is exchanged between two other players.

Man-in-the-MiddleAttack Progress

A Man-in-the-Middle (MIM) attack is an attack in which the attacker intercepts information ex-changed between two persons. The two legitimate parties think they are communicating directly with each other and do not suspect the presence of the intruder.

There are two major forms of Man-in-the-Middle attack: eavesdropping and manipulation1.

Eavesdropping

An eavesdropper just listens to the data stream and records it to analyze. It is a kind of data leakage more than a direct attack.

Manipulation

In the case of a manipulation, data have to be redi-rected to an intermediate machine to allow data modification and enable the attacker to forward them to the legitimate recipient.

Eavesdropping and manipulation

Man-in-the-Middle attack is a common threat dur-ing key exchange. For instance, Alice wants to send an encrypted message to Bob. Unfortunately, Mal-lory is monitoring the conversation. Alice will ask Bob his public key. Bob will sent his public key but Mallory will intercept it and send her public key in-stead of Bob’s one to Alice. Alice will encrypt her message with Mallory public key thinking it is Bob’s public key and send it to Bob. Mallory will intercept the message and decipher it thanks to her private key. Then she can modify it or just read it and send back to Bob the message encrypted with his public key. Bob will receive the message and think that it comes directly from Alice. He will be able to deci-pher it with his private key.

Page 1

Man-in-the-Middle AttackSecurity and Privacy Concerns

Result of key exchange under a Man-in-the-Mid-dle attack

Once the attacker is established, he can just gathered information but he can also inject malicious code.

Attack Techniques

The techniques used for Man-in-the–Mid-dle attack can be classified according to the type of network environment3:

Local Area Network

A local area network is a bounded area in which, computer are interconnected (eg. a university, an organization…). In this kind of network, communication between com-puters is easier because trusted connec-tions are already implemented. Thus, spe-cific techniques will be employed by the attacker.

ARP poisoning: the attacker sends falsified Address Resolution Protocol messages. Usually, the attacker associates his MAC address with the victim’s IP address. Thanks to that, the attacker retrieves any traffic sent to the legitimate IP address. Fi-nally, the attacker can modify the packet.

DNS spoofing: the attacker sniffs DNS re-quest and replies before the real DNS server. Traffic is diverted to the attacker’s computer.

IP address Spoofing: IP packets are created with a forged source IP address in order to impersonate another computer system. This attack is easier to set up in a local network where trust relationship is al-ready implemented.

Port stealing: the attacker redirects traffic to another port of the Ethernet switch. To do it, the attacker floods the victim host’s switch with forged ARP packets. These packets have the victim host’s MAC ad-dress as source address and the attacker host’s MAC address as destination.

From local to remote

DHCP spoofing: the attacker replies before the DHCP server and diverts traffic. He can then manipulate the victim’s IP address, the gateway address assigned to the vic-tim and the DNS address.

DHCP spoofing

IRDP spoofing: the attacker will remotely add new route that will be preferred over the default one from the DHCP. The host will follow the attacker’s route instead of the legitimate one.

Remote

Page 2

Difference between Man-in-the-Middle attack and sniffing2

A sniffer is a tool used by hacker to capture and an-alyse network packet. If the network packets are not encrypted, the data can be directly read thanks to the sniffer.

This attack is passive, the attacker will just read the packet and the traffic will not be modified. Unlike sniffing attack, Man-in-the-Middle attack implies an active third party. This one can alter message content and even inject malicious code.

However, a Man-in-the-Middle attacker is able to sniff packet. It is the eavesdropping form of the MIM attack.

Remote access is less lenient because computers are not interconnected.

DNS poisoning: the attacker can brute force the DNS by replying before the real DNS and trying to guess the correct ID. Otherwise, the attacker can send a dy-namic update to the victim DNS. As soon as the DNS processes it, the attacker gains control.

Traffic tunnelling: The attacker will collect sensitive information exchange between two persons thanks to traceroute, port scanning or photo scanning.

Detection Techniques

A Man-in-the-Middle attack is generally hard to detect. However, some techniques enable detection of malicious behavior. Wireless sensor networks can detect MIM attack in a timely fashion. Moreover, at-tackers can always do mistakes. Users have to remain alert. In case of suspicion, network forensics can be handled on the server IP address, the server DNS name and the X.509 certificate of the server.

• Time detection

Wireless sensor networks can be used to detect MIM attack5. In fact, they can esti-mate distances thanks to distance-bounc-ing protocols. The distance is estimated based on precise timing. If the time to re-ceive a message is more important than a certain delay, the message will be rejected.

• Third party program

Third party program can be used to detect an intruder. Intrusion detection system as Snort will monitor the network traffic of hosts. This technique is only feasible for single host monitoring but will not be rel-evant for an entire network.

• Detecting rogue access point

In a wired network with wireless access point, attackers can use the Wi-Fi in order to intercept information. Several tech-niques can help to detect wireless from wired network thanks to the difference of capacity and variability characteristics be-tween both kinds of networks6.

Client-side bottleneck bandwidth can be used to determine the inter-arrival be-tween two packets. The value will help to determine the nature of the network (wired or wireless).

Round Trip Time (RTT) can be used to de-tect rogue access point. RTT corresponds to the time required for a signal to go from a source to a destination and to come back. This technique can help to separate wired from wireless access. This tech-nique can present false positive and thus classified a legitimate user as an attacker.

Radius authentication server can authenti-cate devices and thus also detect rogue ac-cess point. It will only detect rogue access point coming from an Internet Service Provider which has a radius authentica-tion server installed.

• Warning about certificates

Page 3

Great Cannon4

The Great Cannon is an at-tack tool that behaves as a Man-in-the-Middle attack. In fact, it will intercept web traffic and arbitrarily replace content. It is used to launch distributed de-nial-of-service attacks to disrupt websites opera-tions.

The Great Cannon is able to inject traffic but also to directly suppress it. It does not sniffer all the traffic but only intercepts specific addresses.

As a complete Man-in-the-Middle attack, it can inter-cept unencrypted e-mail and alter its content with-out user’s detection.

In March 2015, Github has been attacked by the Great Cannon. Github characterized this attack as the largest DDoS attack of its history. This Man-in-the-Middle attack re-placed a javascript file used for user tracking by another one which asked the user’s browser to in-definitely reload two pages at Github.

References and certificates send by the server should be compared and connec-tion should be established only in case of perfect matching7.

Certificate fingerprint can also be com-pared against a reference value. The cer-tificate fingerprint is a public key en-crypted with cryptographic hash function such as sha-1 or sha-2.

Checking certificate can help to detect MIM. In fact, certificate should be signed by a trusted certificate authority. Users should mistrust certificates that have been revoked or recently changed as well as certificates used on several websites.

In case of system or browser warning about certificate validity, user should not continue his request.

Certificate warning

• Detect HTTPS hijacked commu-nication

A user can detect that the HTTPS indica-tion is missing in the browser. In fact, when client connect to a secure website as bank account, the page should be en-

crypted but sometimes, https is not indi-cated in the browser. That means that the connection should not be trusted. A Man-in-the-Middle attack should be occurring.

Defense Techniques

• Certificate

In a MIM attack, the attacker can intercept the legitimate certificate sent by a website to a client and replace it by another one. The client will accept it and thus, will have accepted an untrusted certificate. A solu-tion to prevent it is to automate certificate assessment. In fact, MIDAS (Man-in-the-Middle Distributed Assessment System), will validate certificates through a given network. The mechanism consists in clas-sifying certificates as trusted or untrusted, according to information gathered from different sources.

• DNSsec

DNSsec (Domain Name System Security Extensions) is an alternative to DNS9. It ensures the validity of data received and authenticity of the DNS records. Public key cryptography is used to do it.

Page 4

Bank threat8

In 2003, a group of hack-ers tried to attack several banks. Once was espe-cially vulnerable and they succeeded in transferring $10 million within few hours.

The bank did not manage to localize them. Hackers decided to contact the bank president and of-fered two options. The first one was that the Bank would prosecute them but in this case, at-tackers would deny and notify the public on the bank’s poor security. The other one was to consider this attack as a security assessment requested by the bank that cost $5 mil-lion and hackers would return the other $5 mil-lion to the bank.

Finally, the president de-cided to give $5 million to the attacker as a security assessment.

It is still at an early stage in its deployment.

• Mutual authentication

In the case of a one-way authentication, only one party is ensured of the other one identity10. Thus, the conversation can be eavesdropped between the non-authenticate party and the certified one.

For instance, if a client log into a bank websites, only the bank’s server provides a certificate. Thus, requests made by the client to the server can be in-tercepted. Mutual authentication will defeat this at-tack. No one will be able to impersonate the client identity anymore.

• SSL

SSL creates and establishes a secure communica-tion between devices and prevents eavesdropping. However, a bad implementation could lead to the opposite result. Parties have to validate that the re-mote connected party is legitimate. Then, they cre-ate a key to encrypt data exchanged between them during the session.

SSL handshake authentication11

Consequently, SSL can be compromised whether the key has been stolen. In this case, there is no way for the user to know that the server is not trustworthy anymore. The client can also trust a CA whose root key has been stolen.

• Internal devices protection

In case of a Man-in-the-Middle attack, the server will not notice any issues; however, some protec-tions can be done from the client side.

Firstly, he should ensure that secured connections use HTTPS. Secondly, the likelihood of traffic inter-ception is lower on the home network than on the work network. In fact, at home only a small num-ber of computers are related and they all belong to the same family whereas, at work, the potential sources of attacks are multiplied. Thus sensitive websites as online banking should be accessed from home.

Finally, these kinds of attacks are mainly executed from inside the network, thus, internal machines have to be well-protected12.

Man-in-the-middle attacks remain hard to detect. More and more cryptographic protocols include endpoint authentication in order to prevent Man-in-the-Middle attack. However, whether users used untrusted websites these preventions will remain useless. A wise use of the Internet can limit the risk and improve the time of attack detection.

Page 5

Conclusion

Page 6

References

1. “Man-in-the-Middle attack” August 2015 Web. 6 August 20152. “What is the difference between Man-in-the-Middle attack and sniffing” August 2014 Web. 10 August 20153. “Network security: Man-in-the-Middle attack techniques” December 2013 Web. 3 August 20154. “China’s Great Cannon” April 2015 Web. 10 August 20155. “Detecting and Defeating Advanced Man-in-the-Middle Attacks against TLS” by E. de la Hoz et al. 2014 pdf6. “Man-in-the-Middle Attacks Detection Scheme on Smartphone using 3G network” by J. Lee et al. 2012 pdf7. “Man-in-the-Middle? – No, thank you!” June 2013 Web. 6 August 20138. “Unauthorized Access: Security Breach Example” October 2011 Web. 7 August 20159. “DNSsec an introduction” October 2014 Web. 7 August 201510. “Can mutual authentication beat phishing or Man-in-the-Middle attacks” August 2015 Web. 7 August 201511. “SSL handshake with two ways authentication with certificates” August 2008 Web. 10 August 201512. “Understanding Man-in-the-Middle attacks” June 2010 Web. 6 August 2015

Copyright Statement

All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law.

A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below:

copyright@jucc.edu.hkJoint Universities Computer Centre Limited (JUCC)c/o Information Technology ServicesThe University of Hong KongPokfulam Road, Hong Kong