Article Preview
TopIntroduction
One of the most prevalent network attacks used against individuals and large organizations alike are man-in-the-middle (MITM) attacks. Considered an active eavesdropping attack, MITM works by establishing connections to victim machines and relaying messages between them. In cases like these, one victim believes it is communicating directly with another victim, when in reality the communication flows through the host performing the attack. The end result is that the attacking host can not only intercept sensitive data, but can also inject and manipulate a data stream to gain further control of its victims (Nath Nayak & Ghosh Samaddar, 2010).
MiTM attacks pose a serious threat to online security, because they give the attacker the ability to capture and manipulate sensitive information in real-time. The attack is a type of eavesdropping in which the entire conversation is controlled by the attacker. Sometimes referred to as a session hijacking attack (Nath Nayak & Ghosh Samaddar, 2010), MiTM has a strong chance of success when the attacker can impersonate each party to the satisfaction of the other. A man in the middle attack happens in both wired and wireless networks (Hwang, Jung, Sohn, & Park, 2008).
A common method of executing a MiTM attack involves distributing malware that provides the attacker with access to a user’s Web browser and the data it sends and receives during transactions and conversations. Once the attacker has control, he can redirect users to a fake site that looks like the site the user is expecting to reach. The attacker can then create a connection to the real site and act as a proxy in order to read, insert and modify the traffic between the user and the legitimate site. Online banking and e-commerce sites are frequently the target of MITM attacks so that the attacker can capture login credentials and other sensitive data (Aljawarneh, 2011; Aljawarneh, 2016).
Most cryptographic protocols include some formes of endpoint authentication specifically to prevent MITM attacks. For example, the Transport Layer Security (TLS) (Dierks & Allen, 1999) protocol can be required to authenticate one or both parties using a mutually trusted certification authority. Unless users take heed of warnings when a suspect certificate is presented, however, a MITM attack can still be carried out with fake or forged certificates as demonstrated by (Clark & van Oorschot, 2013).
An attacker can also exploit vulnerabilities in a wireless router’s security configuration caused by weak or default passwords. For example, a malicious router, also called an evil twin (Nikbakhsh, Manaf, Zamani, & Janbeglou, 2012), can be setup in a public place like a café or hotel to intercept information traveling through the router. Other ways that attackers often carry out man-in-the-middle attacks include Address Resolution Protocol (ARP) spoofing (Jinhua & Kejian, 2013), domain name system (DNS) spoofing (Yu, Chen, & Xu, 2011), Spanning Tree Protocol (STP) mangling (Lai, Pan, Liu, Chen, & Zhou, 2014), port stealing (Nath Nayak & Ghosh Samaddar, 2010), Dynamic Host Configuration Protocol (DHCP) spoofing (Duangphasuk, Kungpisdan, & Hankla, 2011), and Internet Control Message Protocol (ICMP) redirection (Arote & Arya, 2015).
In order to face MitM, the researchers need to define two important stages at this point, detection and prevention ((Aljawarneh, 2011; Aljawarneh, 2016).