Man In The Middle Attack Prevention And Detection

5 min readMar 2, 2020

In the age of being dependent on contemporary technologies, the cybersecurity issues are as vital to pay attention to as never before. We leave a huge trace of our personal identity online. Not to mention an enormous digital trail we leave in social networks when posting photos with geolocation, reposting all news and thoughts we consider important, commenting on everything that we have an opinion about. We also use online banking almost for all our payments, as well as we use e-governance services to avoid facing bureaucracy in person, etc. Remember, every byte of such sensitive data can be stolen and used against you. You can lose all your money and even more than that if you become a victim of a hacker attack.

And one of the most dangerous and inconspicuous hacking techniques is man in the middle attack. If it happens when you transmit sensitive data to your bank or, for example, tax office, you won’t even understand that something wrong is going on, while the attacker will be stealing your login credentials and any other info he/she needs to hack you.

In this article, we’ll explain:

So, let’s begin!

What Is Man In The Middle Attack?

Before we start digging into how to stop man in the middle attack, we should be on the same page regarding what it is.

A man in the middle attack is the digital equivalent of eavesdropping. It may occur when a device transmits data to a server or website. For instance, it may be a user’s smartphone that sends the location to the server of an app installed on it or a computer sending login credentials to the bank server. The attacker can intercept the data that is being exchanged. If the connection is not secure, the attacker won’t even have to decrypt the data.

After the data gets captured, the original data is usually sent to the destination server, though in some cases the attacker can modify the information, it depends on the purpose he/she has.

Man In The Middle Attack Explained

So, now let’s explain man in the middle attack in details. You could easily find yourself under a man in the middle attack before you even had your first computer. The thing is that there can be a man in the middle of any channel used for data exchange. For instance, unbeknownst to you, the mailman could take all the letters that you wrote, open the envelopes, read them, seal them in a way that it is impossible to see that someone opened the letter, and send them to the addressee. If you think “oh, I wouldn’t mind anyone knowing what I write in my letters”, think twice. What if you sent some legal papers? Or business plans?

If we return to our present Internet age, think again: what data do you send to servers? It could be anything from exchanging funny memes to approving transactions via online banking systems.

In the online world, a man in the middle cyber attack works in the same way. For instance, let’s imagine you connect to a Wi-Fi network that does not require a password in a public place. Of course, you don’t know that this network may be created by an attacker waiting for you to transmit some sensitive information. In this scenario, if you try to browse a well-protected website using the man in the middle Wi-Fi, you would probably get a message saying that the connection is not secure.

But if there is no such message or you don’t pay attention and decide to proceed anyway, you will see the page you were expecting to see. Everything will seem to be as usual. However, in fact, the attacker could have created a fake server that would intercept the page sent to you by the website server and modify it a bit to collect the data you enter on the page. The only difference is that such a server would not possess the necessary security certificate. This is why to prevent a man in the middle attack HTTPS is used for online banking, the login pages, emails, etc.

| Read also: Social Engineering: What It Is and Why It Works

How MITM Attacks Are Performed — 8 Key Techniques

In order to be able to avoid man in the middle attack, we need to know our enemy. So, let’s take a look at 8 key techniques that can be used to perform a man the middle attack. This will help you to protect your business and customers better.

1. ARP Poisoning

ARP (Address Resolution Protocol) is used to resolve IP addresses to physical MAC (media access control) addresses in a local network. When a host needs to talk to a host with a given IP address, it references the ARP cache to resolve the IP address to a MAC address.

If the address is not known, a request is made asking for the MAC address of the device with the IP address. At this stage, the attacker intercepts the ARP query and sends a forged packet to the source computer. The forged packet associates the IP address from the ARP query with the MAC address that belongs to the attacker’s machine. The same thing is done to the target machine to fool it into thinking that the attacker’s machine is the sender.

Thus, the attacker can see the whole data exchange process, record the data that is being transferred, and deliver it to the target network component without both parties even noticing that there is data theft going on.

2. ICMP MITM

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached.

In case of ICMP MITM attack, first of all, the attacker looks for the network hosts that are down. When these hosts are pinged by other machines in the network, the attacker responds by sending a successful ping message. So, the machine starts exchanging data with the attacker’s machine thinking that it is the host they were looking for.

3. DNS MITM

The attacker identifies all the DNS (Domain Name System) servers that are a part of the targeted network. It can be done by searching for DNS queries that are made on port 53. After this, the attacker executes the ARP poisoning method described above to fool the source machine into sending the DNS queries to the attacker’s machine. If this attack is done, the scale of the damage that can be done to the security of the whole system has no limits. For instance, the hacker can use this attack to create a phishing website and direct all the queries to it, thus stealing any data being exchanged.

Continue reading on Protectimus Blog: https://www.protectimus.com/blog/mitm-prevention-and-detection/