The man-in-the-middle attack
Attackers might have different reasons to think and try targeting systems. Depending on the technologies and protocols, attackers can use various methods. One of the most used attacks targeting the systems and applications using TCP protocol is known as the MITM (Man in the middle) or bucket-brigade attack and sometimes Janus attack.
Dr Cetin defined the MITM as “the target host is fooled by making it think that it is connecting to a desired destination host when in fact it is connecting to the attacker host, The attacker host handles the connection to the desired destination host and proxies traffic between the two from that point on. The attacker host completely controls the connection and can view and/or modify information passing between the connection it has forged with the source and destination hosts. “(Cetin.et.al, 2002).
This attack has been applied to different systems, the technical details of implementation might vary depending on the protocols and the context but the principal is the same. The attacker sits in the middle between a client and backend system and performs the following steps presuming that the attackers and victims are in the same network :
1- The attacker waits for a legitimate device to start an authentication protocol, it captures the packets sent by the legitimate client.
2- The attacker initiate an authentication with the backend server
3- If a connexion is established between the attacker and the server, the attacker forwards the messages to the initial client. (Christianson.et.al, 2003).
Fig 1 : Representation of the MITM attack
Is the attack realistic?
The MITM attack is certainly realistic and has been used for long time to overcome security restrictions or gain higher privileges in some systems, but one of the spectacular uses of this attack is the one performed by the NSA against the Brazilian giant oil company Petrobras. Fantastico, a Brazilian television show exposed one of the most shocking presentation which discussed how the NSA runs man-in-the-middle-attacks on the internet.
The 13-minute news segment focused on the revelation that, according to the leaked files, the NSA apparently targeted Brazil’s state-run Petrobras oil producer for surveillance (Gallagher, 2013).
References
– Dr. Cetin Kaya Koc, Siva Sai Yerubandi & Weetit Wanalertlak (2002). SSH1 man in the middle attack. Computer Network Security. 930-33-9878, available at: http://www.cs.ucsb.edu/~koc/ns/projects/02Reports/YW.pdf
– Bruce Christianson, Bruno Crispo, James A. Malcolm and Michael Roe (2003). Security Protocols 11th International Workshop Cambridge, UK. ISSN : 0302-9743.
– Ryan Gallagher (2013). New Snowden Documents Show NSA Deemed Google Networks a “Target”. THE CITIZEN’S GUIDE TO THE FUTURE,SEPT 2013. Available at : http://www.slate.com/blogs/future_tense/2013/09/09/shifting_shadow_stormbrew_flying_pig_new_snowden_documents_show_nsa_deemed.html
Attackers might have different reasons to think and try targeting systems. Depending on the technologies and protocols, attackers can use various methods. One of the most used attacks targeting the systems and applications using TCP protocol is known as the MITM (Man in the middle) or bucket-brigade attack and sometimes Janus attack.
Dr Cetin defined the MITM as “the target host is fooled by making it think that it is connecting to a desired destination host when in fact it is connecting to the attacker host, The attacker host handles the connection to the desired destination host and proxies traffic between the two from that point on. The attacker host completely controls the connection and can view and/or modify information passing between the connection it has forged with the source and destination hosts. “(Cetin.et.al, 2002).
This attack has been applied to different systems, the technical details of implementation might vary depending on the protocols and the context but the principal is the same. The attacker sits in the middle between a client and backend system and performs the following steps presuming that the attackers and victims are in the same network :
1- The attacker waits for a legitimate device to start an authentication protocol, it captures the packets sent by the legitimate client.
2- The attacker initiate an authentication with the backend server
3- If a connexion is established between the attacker and the server, the attacker forwards the messages to the initial client. (Christianson.et.al, 2003).
Fig 1 : Representation of the MITM attack
Is the attack realistic?
The MITM attack is certainly realistic and has been used for long time to overcome security restrictions or gain higher privileges in some systems, but one of the spectacular uses of this attack is the one performed by the NSA against the Brazilian giant oil company Petrobras. Fantastico, a Brazilian television show exposed one of the most shocking presentation which discussed how the NSA runs man-in-the-middle-attacks on the internet.
The 13-minute news segment focused on the revelation that, according to the leaked files, the NSA apparently targeted Brazil’s state-run Petrobras oil producer for surveillance (Gallagher, 2013).
References
– Dr. Cetin Kaya Koc, Siva Sai Yerubandi & Weetit Wanalertlak (2002). SSH1 man in the middle attack. Computer Network Security. 930-33-9878, available at: http://www.cs.ucsb.edu/~koc/ns/projects/02Reports/YW.pdf
– Bruce Christianson, Bruno Crispo, James A. Malcolm and Michael Roe (2003). Security Protocols 11th International Workshop Cambridge, UK. ISSN : 0302-9743.
– Ryan Gallagher (2013). New Snowden Documents Show NSA Deemed Google Networks a “Target”. THE CITIZEN’S GUIDE TO THE FUTURE,SEPT 2013. Available at : http://www.slate.com/blogs/future_tense/2013/09/09/shifting_shadow_stormbrew_flying_pig_new_snowden_documents_show_nsa_deemed.html
