A Man-in-the-Middle attack is an online attack pattern in which an attacker phys­ic­ally or logically places a con­trolled system between the victim’s system and an internet resource used by the victim. The aim of the attacker is to intercept, read or ma­nip­u­late the com­mu­nic­a­tion between the victim and the internet resource unnoticed.

What is a man-in-the-middle-attack?

A man-in-the-middle attack (MitM attack) refers to the method where a hacker in­ter­cepts the data traffic between two com­mu­nic­a­tion partners, leaving both parties to think that they are only com­mu­nic­at­ing with each other. These kinds of attacks were pre­vi­ously carried out by ma­nip­u­lat­ing physical com­mu­nic­a­tion channels. In times of shared public com­mu­nic­a­tion networks, the third party used to position them­selves between two or more com­mu­nic­a­tion partners. MitM attacks are primarily seen in computer networks where there is an attempt to overturn SSL/TLS en­cryp­tions with the aim of obtaining secret in­form­a­tion, usernames, passwords, or bank details. The basic course of a man-in-the-middle attack is as follows:

System A attempts to establish an encrypted con­nec­tion with System B. Instead, the data flow is re­dir­ec­ted by a criminal third party, which results in the encrypted con­nec­tion running from system A to system C and only then is it re­dir­ec­ted to System B. This means that the one in control of System C (usually the attacker) can see the data traffic in its entirety, record it, or ma­nip­u­late it – often with the com­mu­nic­a­tion partners being unaware of anything fishy having taken place. In the World Wide Web context, System C would present itself to System A as a web server, and as a web browser to System B.The following graphic il­lus­trates the based scheme of a Man-in-the-Middle attack.

Image: Schematic depiction of a Man-in-the-Middle attack
Schematic depiction of a Man-in-the-Middle attack: System C accesses com­mu­nic­a­tion between Systems A and B unnoticed

Man-in-the-Middle attack pattern

In order to in­filt­rate data traffic between two or more systems, hackers use various tech­niques that target known vul­ner­ab­il­it­ies in the world of online com­mu­nic­a­tion. A place to carry out LAN internal man-in-the-middle attacks is, for example, the DHCP (Dynamic Host Con­fig­ur­a­tion Protocol) service, which is re­spons­ible for al­loc­at­ing local IP adresses, as well as the ARP system (Address Res­ol­u­tion Protocol), which de­term­ines hardware addresses (Media Access Control, MAC). Man-in-the-middle attacks can be performed on a global scale by ma­nip­u­lat­ing DNS servers, which are re­spons­ible for the res­ol­u­tion of internet address in public IPs. Hackers also exploit security gaps in outdated browser software or provide corrupted WiFi access to un­sus­pect­ing internet users. These attack patterns are typically automated by software. If attacks are performed by people, then these are known as human-assisted attacks.

DHCP star­va­tion attack

When it comes to DHCP-based attacks, a hacker’s own computer (one that’s under their control) is issued as a DHCP server within a Local Area Network (LAN). This kind of server is a central component of the local network and is re­spons­ible for al­loc­at­ing the network con­fig­ur­a­tion to other computers in the LAN. This is usually done auto­mat­ic­ally: as soon as a computer builds the first con­nec­tion to the LAN, the DHCP client of the operating system asks for in­form­a­tion such as a local IP address, network mask, default gateway address, and the address of the re­spons­ible DNS server. It sends out a broadcast to all devices on the LAN and waits for the con­firm­a­tion from the DHCP server. The first detailed answer is accepted.

This fake DHCP server gives hackers the pos­sib­il­ity to control the al­loc­a­tion of local IP addresses, enter default gateways and DNS servers on the swapped computer and redirect outbound traffic on any computer in order to intercept or ma­nip­u­late content.

Since this attack pattern is based on ma­nip­u­lat­ing the DHCP system, it is known as DHCP spoofing. This kind of man-in-the-middle attack does, however, require the attacker to be on the same LAN as the victim. Hotel LANs or public WiFi networks are therefore at risk of becoming targets of DHCP-based attacks. If the attacker wants to in­filt­rate a wired corporate network, they must first obtain physical access to the LAN in order to in­filt­rate the fake DHCP server.

Internet users can take measures against DHCP spoofing such as being cautious when using unknown networks. It is advisable to use secure web ap­plic­a­tions from online banks or shopping portals only in known and trusted LANs such as your private home network or the one at work.

ARP cache poisoning

ARP is a network protocol, which is used to map IP network addresses to the hardware addresses used by data link protocols. So that a computer can send data packets within a network, it must know the hardware address of the recipient system. For this purpose, an ARP request is sent as a MAC broadcast to all systems in the LAN. This includes both the MAC and IP address of the inquiring computer as well as the IP address of the requested system. If a computer in the network receives one of these ARP requests, it checks whether the packet contains its own IP address as recipient IP. If this is the case, an ARP reply is sent back with the sought MAC address to the requested system.

The al­loc­a­tion of this MAC address to the local PC is stored in table form in the so-called ARP cache of the requested computer. This is where ARP cache poisoning starts. The aim of this attack pattern is to ma­nip­u­late the ARP tables of various computers in the network through fake ARP replies, for example, dis­play­ing a computer, which is under the attacker’s control, as a WiFi access point or gateway to the internet.

If ARP spoofing is suc­cess­ful, attackers are able to read, record, or ma­nip­u­late all outbound data traffic from infected computers before it’s sent to the real gateway. Just like with DHCP spoofing, ARP cache poisoning can only happen if the attacker is in the same LAN as the victim’s system. This kind of man-in-the-middle attack can be performed using simple program like the freeware tool, Cain & Abel, which was ori­gin­ally developed to trace lost passwords, or an al­tern­at­ive is to use the software, Ettercap.

As with DHCP-based attacks, users that are in a corrupted LAN don’t have a chance to defend them­selves against ARP spoofing. This means that in order to prevent this from happening, users should avoid un­fa­mil­i­ar networks or ensure they use them wisely.

DNS-based attacks

While ARP cache poisoning targets vul­ner­ab­il­it­ies in the address res­ol­u­tion in the Ethernet, cache poisoning on a DNS basis focuses on the internet’s domain name system, which is re­spons­ible for URL res­ol­u­tion in public IP addresses. With this kind of attack, hackers ma­nip­u­late entries in the cache of a DNS server so that they can answer requests with fake target addresses. The hacker can redirect internet users (unbeknown to them) to any site in the network. They usually use known security gaps of older DNS servers.

Basically, DNS in­form­a­tion is not stored on a single DNS server, but rather on numerous computers in the network. If a user wants to visit a site, they generally use a domain name. In order to access the ap­pro­pri­ate server however, an IP address is needed. The user’s router de­term­ines this IP by sending a DNS request to the standard DNS server specified in the con­fig­ur­a­tion. This is usually the DNS server of the internet service provider (ISP). If Resource Records on the requested URL are found, the DNS server answers the request with the ap­pro­pri­ate IP address. Otherwise, the DNS server de­term­ines the requested IP with the help of other servers with DNS tasks. The server ad­di­tion­ally sends a relevant request to other DNS servers and stores their responses tem­por­ar­ily in a cache.

Servers that use an old version of the DNS software primarily fall victim to hacking attacks. They accept and generally store not only in­form­a­tion that has spe­cific­ally been requested, but also in­form­a­tion that has been supplied. If hackers have captured a single DNS server, it is easy to deliver fake records with every correct IP address and thus poison the cache of the re­quest­ing DNS server.

The ef­fect­ive­ness of man-in-the-middle attacks can be seen by incidents in the past where whole namespaces were re­dir­ec­ted. It’s prac­tic­ally im­possible for users to protect them­selves against such attacks because they are carried out directly in the internet’s in­fra­struc­ture. It is therefore the re­spons­ib­il­ity of the operator to ensure that the DNS servers provided are using up-to-date software and are suf­fi­ciently secure. Under the name, DNSSEC (Domain Name System Security Ex­ten­sions), various internet standards were developed in order to enhance the DNS system with various security mech­an­isms and to improve data au­then­ti­city and integrity. Dis­trib­ut­ing these standards is taking a long time, un­for­tu­nately.

Sim­u­lat­ing WiFi access points

An attack pattern that es­pe­cially targets mobile device users, is based on sim­u­lat­ing an access point in a public WiFi network like those provided in cafés or airports. Here, the hacker has con­figured their computer so that this ad­di­tion­al route promises to lead to the internet – perhaps one with a better signal quality than the real access point. If an attacker succeeds and deceives the un­sus­pect­ing user into using their access point, they can see the whole data traffic that runs through the system and are then able to read it and ma­nip­u­late it before it reaches the real access point. If the access point requires au­then­tic­a­tion, the hacker can also get their hands on all user names and passwords that the user enters during re­gis­tra­tion. It’s es­pe­cially dangerous and you’re more likely to become a victim of a man-in-the-middle attack if your device is con­figured so that it auto­mat­ic­ally connects to the access point with the strongest signal.

In order to protect yourself from these attack patterns, internet users should only let their devices connect to familiar WiFi networks and ensure that they only use official access points.

Man-in-the-browser attack

A variant of the man-in-the-middle attack, in which an attacker installs malware in an internet user’s browser in order to intercept data traffic, is known as a man-in-the-browser attack. Computers that aren’t fully updated provide security gaps, which give attackers the perfect op­por­tun­ity to in­filt­rate the system. If par­tic­u­lar program in­filt­rate the user’s browser, they hide in the back­ground and record all data that is exchanged between the victim’s system and various websites in the network. This attack pattern allows hackers to intercept a large number of systems with re­l­at­ively little effort. The data espionage usually takes place before a possible transport en­cryp­tion via TLS/SSL can take effect.

Internet users can prevent man-in-the-browser attacks ef­fect­ively by making sure that all of the system’s software com­pon­ents are up-to-date and any known security gaps are closed by running security updates.

Human-assisted-attack

A human-assisted-attack refers to when an attack pattern is not purely automatic, but is instead con­trolled by one or more attackers in real-time. This type of man-in-the-middle attack could go as follows: once an internet user logs onto the website of their bank, the hacker (who has placed them­selves between the user’s browser and the bank’s server) receives a signal. They now have the ability to steal session cookies and au­then­tic­a­tion in­form­a­tion in real-time and use them to gain access to usernames, passwords, and TANs.

Pre­vent­ing Man-in-the-Middle attacks

As a rule, it is rarely possible for those affected to recognise whether a Man-in-the-Middle attack is happening. The best pro­tec­tion is pre­ven­tion. In the following list, we have compiled the most important tips on how internet users and website operators can minimise the risk of becoming the target of an MITM attack.

Tips for internet users:

  • Make sure that you always access websites through an SSL/TLS secured con­nec­tion. In this case, the internet address will begin with https. Http con­nec­tions are a security risk.
  • Verify that a website’s SSL cer­ti­fic­ate is current and issued by a trusted cer­ti­fic­ate authority, es­pe­cially before you enter any cre­den­tials.
  • Always use the latest version of your favourite web browser and keep your operating system up to date with updates.
  • Avoid the use of freely ac­cess­ible VPNs or proxy servers.
  • Keep your passwords up to date, use a separate password for each ap­plic­a­tion and don’t reuse old passwords.
  • Avoid public WiFi spots – for example in hotels, train stations or shops.
  • If you need to use public networks, avoid downloads, don’t submit any cre­den­tials like your email account or social networks – and never make online payments.
  • Use ad­di­tion­al methods for secure login, if the website operator offers the service – for example, multi-factor au­then­tic­a­tion (MFA) through token one-time passwords via SMS or smart­phone app.
  • Do not click on links in emails from unknown senders that might lure you into a malware laden website.

Tips for website operators

  • Protect your customer’s data by securing websites with customer logins using an up to date SSL cer­ti­fic­ate from a reliable cer­ti­fic­ate authority.
  • Offer your customers ad­di­tion­al methods for secure login – like multi-factor au­then­tic­a­tion via email.
  • Com­mu­nic­ate to your customers that you never query login data through emails and avoid hy­per­links in customer emails.
Go to Main Menu