=Paper=
{{Paper
|id=Vol-2872/short08
|storemode=property
|title=Man in the Middle: Attack and Protection
|pdfUrl=https://ceur-ws.org/Vol-2872/short08.pdf
|volume=Vol-2872
|authors=Enkli Ylli,Julian Fejzaj
|dblpUrl=https://dblp.org/rec/conf/rtacsit/YlliF21
}}
==Man in the Middle: Attack and Protection==
https://ceur-ws.org/Vol-2872/short08.pdf
Man in the Middle: Attack and Protection
Enkli Yllia, Dr. Julian Fejzajb
a
Faculty of Information Technology, Polytechnic University of Tirana, Sheshi Nënë Tereza ,Tiranë, Albania
b
Faculty of Natural Sciences, University of Tirana, Bulevardi Zogu i Pare, Tiranë, Albania
Abstract
The purpose of this paper is to take a closer look at Man-In-The-Middle (will be referred to as
MITM) attack and defense. MITM also referred to in certain literature as a hijack attack, is one
of the most well-known and widespread attacks in cybersecurity, targeting connection between
two parties and directly putting into jeopardy the confidentiality and coherence of the data itself.
This paper will delve into the current situation of cybersecurity and usage of Man-In-The-
Middle attacks, what constitutes a proper MITM attack, why this approach is chosen among
many other options, how such an attack is implemented in a real-life scenario and how we can
achieve maximal protection for both individuals and systems.
Keywords 1
MITM, cyber security, wireless network
1. Introduction There is a multitude of methods that can be
used in the execution of a cyber-attack. They
vary from brute force attacks, which is a mostly
outdated method to today’s technological
As important as building an efficient system,
development, to Man-In-The-Middle (MITM)
network or application is, taking the correct
attacks, Denial Of Service (DOS or Distributed
measures in order to protect and offer a secure
DOS), malicious attacks (includes worms,
service is even more necessary. With the
Trojans, viruses, spyware, etc.), phishing and
technological development comes increased
so on. While they are all worthy of study and
risks and security threats and never has this
understanding, this paper will focus on MITM
been more true than in today’s society.
attacks.
Let us first introduce what a Man-In-The-
Cybersecurity and cybercrime are two terms
Middle attack entails. As the name suggests,
that go hand in hand with each other and are
this is an interference where an attacker
inversely correlated. While cyber security
infiltrates the communication between two or
handles the protection of internet-related
more parties who are unaware of the existence
hardware, software and data from different
of this attacker. The attacker may be either
threats, cybercrime encompasses the illegal
passively receiving information exchanged by
activity that uses a computer as its primary
the two participants or actively interfering and
means of commission and theft. [1] The inverse
changing the data or information that is being
correlation between the two signifies their
communicated. The form of attack and further
relationship; if cybersecurity measures are
details will be discussed in the third section of
improved and increased, the possibility of
this paper. This type of attack has been taking
cybercrime is reduced. But if cybersecurity is
place since the 1980s and scientists have been
not on the correct level, the possibility of a
actively studying and taking measures in the
cybercrime happening is increased heavily.
prevention of such activity among others.
Proccedings of RTA-CSIT 2021, May 2021, Tirana, Albania
EMAIL: eylli@yahoo.com (A. 1); julian.fejzaj@fshn.edu.al (A. 2)
© 2021 Copyright for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
� Two main approaches are included in setting The attacker tricks the parts of the
up a MITM attack[2]: creating fake networks communication by making them believe that
that are controlled by the attacker or tampering they are communicating with each other but in
with the connection between the victim and a fact, the attacker controls the communication.
legitimate network. The first method is widely Often the two parts of the communication are:
used in attacking individuals using public Wi- the client and the server. As such, this paper
Fi that nowadays is available in most cafés, will use this network topology to explain how
institutions and businesses. The second method MITM attacks are performed.
is a bit more sophisticated where there the The client and the server communicate with
infiltration entails a non-secured connection each other using a legitimate communication
between the victim and the attacker and then a channel. The client sends requests to the server
secured connection between the attacker and and the server sends responses to the client
the genuine network. This can be very difficult based on the request that the client sent. The
to detect, especially if correct encryption and attacker using MITM attack destroys the
transference are then provided. However, the legitimate communication channel and creates
unsecured connection between the attacker and a new one, which is controlled by him. He tricks
the victim can have devastating results the client to believe that the attacker is the
especially depending on the type of information server and tricks the server to believe that the
transferred, for example in online commerce or attacker is the client. So when a client sends a
banking information. request to the server, the request is sent to the
attacker and then the attacker forwards it to the
Relating to MITM defense methods, there server. The same thing happens with the
are some prevalent ways. From a user response that the server sends to the client. This
perspective, free public Wi-Fi connections are response first arrives to the attacker and then the
suggested to be steered clear of. They present attacker decides what to do with the response,
an easy yet effective way of implementing forward it or not to the client. Being in the
MITM attacks and are much harder to detect middle of the communication, between the
especially from a user’s perspective and the client and the server, gives the attacker access
lack of proper precautions being taken. to the information and the packets that are being
Warnings from certain browsers will flag transferred. The packets may contain sensitive
illegitimate connections which is a simple way information like passwords, username, login
for a user to detect a not genuine connection. credentials etc. The attacker can drop the
VPNs also prove to be efficient in offering a packets, sniff or manipulate them.
more secure connection. From a technological There are two types of MITM attacks:
perspective, the two main ways of defense passive attacks and active attacks[4]. In the
against MITM attacks rely on prevention passive attack, the attacker receives the packets
primarily and detection secondarily. being transmitted and forwards them without
making changes. In the active attacks, the
In Section 2, this paper will be taking a attacker receives the packets and manipulates
closer look at MITM attacks, followed by in- them. Then he forwards the manipulated
depth information regarding MITM defense packets. By the protocol used to perform
approaches in Section 3. In Section 4, this paper MITM attacks there are three types of attacks:
will be mentioning future works, followed by
conclusions that will be provided in the final ARP Poisoning-IP spoofing
Section 5. DNS Spoofing
DHCP Spoofing
Wi-Fi Eavesdropping
2. MITM Attacks SSL Stripping
HTTPS Spoofing
Man-in-the-middle attacks are one of the
most commonly used network attacks. This 2.1. ARP Poisoning – IP
attack happens when the attacker manages to
get in the middle between two parts of spoofing
communication: the sender and the receiver.
� MITM attack using ARP Poisoning is the DNS is a protocol that translates domains
most commonly used technique to perform into IP addresses [6]. It is an important internet
MITM attacks and this is because of the poor protocol but has security problems and one of
security of ARP protocol and also because it is them is that the client can’t verify the
the simplest way to perform the attack. Address authenticity of the DNS Response that he gets.
Resolution Protocol (ARP) is a protocol that This means that the first response that the client
creates a mapping between MAC address and gets, it’s the one that is trusted and used. This
the IP address. These protocols work by using flaw is used to perform DNS Spoofing.
two types of messages: request and reply. The DNS Spoofing is a type of attack where the
communication contains two parts: source host attacker prevents the client from accessing the
and destination host. ARP Request is legitimate server and directs him to a fake one
broadcasted and is used to find which MAC that is controlled by the attacker [7]. This is
address maps a certain IP. All the hosts get this done by manipulating DNS entries in the DNS
request but only the host whose IP address table. When a client wants to access a website,
matches the IP address in the header of the ARP he sends a DNS Request to the DNS server to
Request responds to the request. To lower get the IP address of the site and the DNS server
network traffic flow, every host has an ARP sends back this IP to the client using DNS
cache, which is a table that maps IP addresses Response. The request and the response
with MAC addresses of every host connected to transmitted between the client and server, is
the network. protected by an identification number. If the
ARP Poisoning means the ‘the poison ‘of attacker manages to identify this number then
ARP cache using the main vulnerability of ARP he can attack the client by sending him a fake
protocol[10]. The vulnerability of ARP DNS Response before the client Request
protocol is that is a non-state protocol and the arrives at the legitimate DNS server. To identify
hosts will accept ARP reply even if they haven’t this identification number, the attacker
sent any ARP request. This means that they will performs MITM using ARP spoof and gets the
update their ARP caches every time there is an packets the client is sending. Because the DNS
ARP reply. Because the ARP requests are traffic is not encrypted or authenticated he can
broadcasts, every host connected to the network read the identification number and then send a
can get the requests. The attacker sends a fake DNS response to the client and directs the
response using a copied MAC address, and he client to a fake website controlled by the
attacks the two parts of the communication. He attacker. In this way, the attacker can read all
attacks the source host and sends him an ARP the data that the client is filling in the fake
Reply where he tricks the source to believe that website. This type of attack can be executed not
the IP address of the destination host maps the only in LAN networks but also on other
MAC address of the attacker, and he sends an networks. This can be achieved by using a static
ARP Reply to the destination host where he IP for the fake DNS server and then attacking
tricks the destination to believe that IP address DNS cache using viruses and not ARP
of source host maps the MAC address of the Spoofing.
attacker. After this, the source thinks that the
attacker is the destination and the destination
thinks that the attacker is the source. So every 2.3. SSL Stripping
information that source and destination hosts
send to each other firstly passes to the attacker,
and then he forwards the packets to them. This Removing SSL encryption in a segment
type of attack is performed on switches and between source and destination is a serious
access points but not on routers because the threat to the confidentiality claimed and offered
router will not pass ARP packets to other by the service offering.
routers. ARP Usage of weak algorithms on SSL creates the
opportunity to break. Firstly the user creates a
HTTP connection and then redirected to
HTTPS. By detecting the first connection
request attacker will change data and then
2.2. DNS Spoofing continue to establish an HTTPS connection
between himself and the server, and an
�unsecured HTTP connection with the user, the network a rouge DHCP server which he
acting as a “bridge” between them. controls. When a client is connected to the
The most usable scenario that user experiences network he sends the request message to
when browsing the internet is redirection communicate with DHCP Servers. The request
through HTTP 302. This scenario can be used is caught by the two DHCP Servers, the
also undetected in Wi-Fi Eavesdropping legitimate one and the fake one, but the client
will accept the server that responds first.
Usually, it is the server that is closer to the
2.4. Wi-Fi Eavesdropping client who responds first so to be sure that the
rogue server responds first, the attacker can use
DHCP Starvation. By using DHCP Starvation
This type of attack has to do with creating a the attacker sends many requests to the
fake AP and let other users connect to IT. The legitimate server but doesn’t respond to the
most classic scenario is when the AP doesn’t responses he gets by DHCP Server. This makes
have a password. Being in complete control of the legitimate server have no free addresses to
the AP one can sniff all traffic and also offer. The legitimate server can’t respond
implement in a successful manner SSL because it is being DOS-ed, so the rogue server
Stripping and HTTPS Spoofing. This can also responds and sends to the client the
be implemented with ARP spoofing of a configurations. These configurations contain as
legitimate SSID in a hotel or nearby a bank so default gateway the attacker’s IP address so all
that the probability of accessing any important the communication is headed to the attacker and
information is higher. controlled by him.
2.5. HTTPS spoofing
Representing for example a fake website with a 3. MITM Defense: Prevention and
fake certificate a malicious can receive data and
then after decryption can do a copy of them, Detection
modifying and then pass the info to the
legitimate server. Data can be financial, While MITM attacks may not be as common
usernames or passwords etc. In internal LAN as viruses, worms and phishing, commonly
there can be different scenarios of using SSL referred to as ransom ware, they do present an
Stripping for example by using ARP spoofing. increasing threat by roughly thirty-five per cent
In an internet scenario, DNS Spoofing can be of all attacks. The reason for this is due to the
utilized to SSL Stripping. With DNS spoofing work that goes into setting up a MITM attack
changing manually DNS record for some that can be simplified by just using ransom ware
domain or web site with the reference IP of a attacks. However, they still present a threat to
fake host with a fake or legitimate stolen organizations in general.
certificate. This type of attack has a very vast There are a number of implementations that
usage during Covid-19 with fake sites have proved to be helpful in preventing a
represented as legitimate to steal juicy MITM attack. A simple approach is the
information or money. implementation of Hypertext Transfer Protocol
Secure (HTTPS) which is used to offer a secure
communication environment in a network
2.6. DHCP Spoofing context [8]. Well-known sites and browsers will
notify users if the connection they are using is
Another way to perform MITM attacks is by not secure, which in general has greatly
using DHCP Spoofing and can be executed in impacted the decline of MITM attacks in public
LAN networks. DHCP is a protocol based on a WIFI spots. Upon notification, rapid closure of
DHCP server that dynamically assigns every the WIFI connection must be insured in order
host connected to the network an IP address and to prevent further risks.
other configurations like subnet mask, DNS, Relating to ARP Poisoning, some methods
default gateway etc. The attack used to perform for the prevention of such an attack includes
DNS Spoofing is Rouge DHCP Server. In this using S-ARP instead of ARP, which solves
type of attack, the attacker creates and adds to security-related issues for ARP but has
�problems with scalability. The second mode of extension adds security to the lack of
prevention lies in the implementation of static mechanisms in DNS to authenticate data and
MAC addresses in which a single IP is originators, thus helping with MITM DNS
connected to a single MAC. This is effective Spoofing attempts and DNS cache poisoning.
because an attacker cannot send a false MAC The way DNSSEC does this is by adding
address. However, this is not very sustainable authentication on the origin of the data.
because it requires the involvement of the However, it should be mentioned that in order
administrator to configure the static for DNSSEC to be a valid detection method on
relationship between the IP and MAC address. MITM attacks and to maintain data origin
Dynamic ARP Inspection (DAI) is a method authenticity and integrity, both servers and
that validates ARP packages in a given resolvers must use the DNSSEC protocol. [3]
network. DHCP snooping needs to be firstly A quite effective way of preventing a MITM
implemented, saving records based on attack is by using Virtual Private Networks
exchanged messages, deterring ARP packages (VPN) [9]. As the name suggests, a VPN is
that do not follow the previous records, offering practically the extension of a private network
proper protection against MITM attacks. over a public network (usually the Internet) in
A well-known saying explains that order to enable users to communicate on top of
prevention is better than a cure and nowhere is the public network as if they were connected to
it more applicable than in the world of cyber a private network. This is associated usually
security. The meaning lies on the fact that with increased security and proper encryption
preventing an issue is much easier than to prevent possible attempts to read or
detecting or even fighting the malware itself. A manipulate transferred data and overall
common way to help with prevention is the communication. In the MITM context, a VPN
application of encryption. Using cryptographic hides the user’s communication route and
protocols among which TLS (Transport Layer encrypts their network traffic as well as hides
Security) and previously SSL which is now the IP address[9]. This concealment makes it
deprecated that offer proper data encryption is very difficult for an attacker to trace the IP
a great way to prevent these attacks. Rightly address and in turn initiate a proper attack.
there have been flaws previously in SSL which Another issue worth mentioning is the usage
have led to the deprecation of the protocol and of viruses in MITM attacks. As we mentioned
now TLS has taken over proving to be much previously, attackers will use whatever method
more efficient in the task of encryption and is easier for them and brings the best results. A
authentication. It should be mentioned that method that helps with that is a somewhat
continuous updates have been made in both hybrid between a ransom ware and a MITM
protocols in order to repair flaws or increase attack. There is a way that can be used to initiate
their capabilities and mechanisms to adapt to a MITM attack, by which viruses are used to
the continuing technological advancements. start off such an attack. Thus, it is important for
In using TLS, the communication process is a user to have proper antivirus software
built on a key-based infrastructure, meaning the installed in their device prior in order to protect
identity of both or more parties can be against malware infections that conceal bigger
authenticated via public key cryptography. threats.
Thus, the connection is private as the data Regarding prevention methods relating to
transmitted is encrypted using keys that are Rogue DHCP Server MITM attack, a good
generated uniquely for each connection prevention method is using DHCP
channel. This mutual authentication is Snooping[11] . The main job is to improve the
generally what prevents the possibility of a security of the DHCP server, by effectively
MITM attack, considering both the end-user preventing malevolent or unacceptable traffic.
and server are mutually validated, eradicating DHCP Snooping is configured on switches so
the possibility to access and decryption of the that it can control the responses towards
data that is being transmitted, without discovering packages that the switch receives.
knowledge of the specific keys. Regarding the prevention of DHCP
Another method of prevention is the Starvation, it can be handled via port security
implementation of the DNS (Domain Name implementation. What port-security does is that
System) extension named DNSSEC (Domain prevents DHCP starvation by limiting the
Name System Security Extensions). This number of MAC addresses on a switch port.
� A very big reason why prevention is so this paper was focused on Man-in-the-Middle
incredibly important when considering MITM (MITM) attacks. Firstly, this paper analyzed
attacks is that the detection of a MITM attack is what MITM attacks are, and then it explained
incredibly difficult. If one is not actively the different types on how these attacks can be
searching for a Man-In-The-Middle attack, it implemented. The most commonly used attack
can go unnoticed for quite some time which in is ARP Spoofing, but this paper also examined
effect will allow enough time for the attacker to DNS Spoofing and DHCP Spoofing. For every
do what it requires before proper measures are type of attack, this paper also analyzed the best
taken. What can be done in these cases is practices that offer protection. It is important to
tamper detection, which practically checks the note that online security cannot be achieved
time and latency in an occurring only by securing the network but it should be
communication. Increased latency may reveal combined with the cautiousness and carefulness
possible occurring attack if records show that of the network user.
such a communication should not occur for the
measured time.
6. References
4. Future Works [1] Gade, Nikhita Reddy & Reddy, Ugander.
(2014). A Study Of Cyber Security Challenges
MITM attacks have many implementation And Its Emerging Trends On Latest
forms and this paper present and analyze them Technologies.
theoretically. A good work for the future may [2] Conti, Mauro & Dragoni, Nicola &
be the practical implementation of these attacks Lesyk, Viktor. (2016). A Survey of Man in the
in real-world scenarios and combine them with Middle Attacks. IEEE Communications
other types of attacks like DOS, sniffing and Surveys & Tutorials. 18. 1-1.
phishing. A very interesting aspect is the 10.1109/COMST.2016.2548426.
protection from MITM attacks. Day by day the [3] S. Ariyapperuma and C. J. Mitchell,
number of internet devices is increasing so "Security vulnerabilities in DNS and
protection is very important. We can analyze DNSSEC," The Second International
and test how successful are the defensive Conference on Availability, Reliability and
approaches explained in the paper and what can Security (ARES'07), Vienna, 2007, pp. 335-
be done to improve them. But the protection 342, doi: 10.1109/ARES.2007.139.
also includes prevention and detection of these [4] James Forshaw , ATTACKING
attack before they happen and this is done by NETWORK PROTOCOLS A Hacker’s Guide
creating algorithms, frameworks and to Capture, Analysis, and Exploitation ,
implementing them practically. Also, a good William Pollock , 2018 , pg. 95-103
work for the future may be analyzing if new [5] PROWELL, Stacy, Rob Kraus, Mike
technologies like 5G are protected by MITM Borkin. Seven Deadliest Network Attacks
attacks. (Seven Deadliest Attacks), Syngress, 2010.
[6] GREGG, Michael. Certified Ethical
Hacker (CEH) cert guide. Indianapolis,
5. Conclusions Pearson, 2014.
[7] Ian Green. DNS Spoofing by The Man
In The Middle. SANS Institute, 2005
Network and data security are and will [8] Bruce Hartpence, “Packet Guide to Core
continue to be an interesting topic in computer Network Protocols”, O'Reilly Media, 2011, pg.
science. The increase in the number of users 30-70
who use the internet and also the increase of the [9] AMINE, Abdelmalek, Otmane AIT
services that are offered online makes this topic MOHAMED a Boualem BENATALLAH.
really important. Many of these services use Network security technologies: design and
user’s personal data, and they do not always applications. IGI Global, 2013, s. 156-157.
offer security and protection. Security problems [10] Bavithra Raju, MITM Attacks through
can be caused by user carelessness but in many ARP poisoning, 2016, [Online] URL:
times they are caused by the network protocols. https://www.researchgate.net/publication/3135
There are many network security threats but
�68165_MITM_Attacks_through_ARP_poisoni
ng
[11] Mukhtar, Husameldin & Salah, Khaled
& Iraqi, Youssef. (2012). Mitigation of DHCP
starvation attack. Computers & Electrical
Engineering. 38. 1115-1128.
10.1016/j.compeleceng.2012.06.005
�