What is a man in the middle attack?

What is a man in the middle attack or MiTM attack

A man in the middle attack is a security attack during which an attacker enters a communication between two parties undetected, redirecting data to pass through a node he controls. It is a type of session hijacking. Let’s deep into what a man in the middle attack is as well as into how to prevent and detect this kind of attack.

Table of contents
1 Man in the middle attack or MiTM attack
1.1 Phases of a MiTM attack
2 How to prevent a man in the middle attack
2.1 Mutual authentication
3 How to detect a man in the middle attack

Man in the middle attack or MiTM attack

The man in the middle attack, abbreviated as “MiTM attack”, consists of an attacker placing himself between two communicating parties, while they believe to be communicating with each other directly and securely. The attacker redirects data to pass through a node he controls in order to monitor, relay and even change its content. Its goal is usually to steal personal data, such as login credentials or credit card information.

The MiTM attack is also known under many other names, such as:

  • Machine-in-the-middle attack.
  • Manipulator-in-the-middle attack.
  • Meddler-in-the-middle attack.

This kind of attack exists for many communications protocols. The man-in-the-middle attack is the most common cyberattack on the network layer of the OSI model.

Phases of a MiTM attack

The execution of a man in the middle attack is usually divided in two phases: interception and decryption.

Interception phase

Attackers use different methods to intercept data, such as:

  • Wi-Fi eavesdropping. The attacker sets a Wi-Fi hotspot available to the public without a password and with a name that corresponds to its location. Once a user connects to the hotspot, he can gain visibility on the user’s data traffic.
  • IP spoofing. The attacker alters IP packet headers in order to impersonate another system or application. Once a user attempts to connect to such a system or application, he is redirected to the attacker’s site.
  • ARP spoofing. The attacker links his MAC address with his target’s IP address, using fake Address Resolution Protocol (ARP) messages, so that data is redirected to him.
  • DNS spoofing. The attacker uses modified DNS records to send traffic to a fraudulent site that resembles the real one. It is also known as DNS cache poisoning.

Decryption phase

After the interception phase, attackers use different methods to decrypt SSL traffic without being noticed:

  • HTTPS spoofing. The attacker sends a fake certificate to the user’s browser after the initial connection request to the secure site is made. Once the associated digital thumbprint is verified by the browser, the cyberattacker can access data before it is passed to the application.
  • SSL hijacking. The attacker passes counterfeit authentication keys to the server and client during a TCP handshake, getting control of the session.
  • SSL stripping. The attacker intercepts the TLS authentication to downgrade a HTTPS connection to HTTP. So that the user uses an unencrypted version of the application or site.

How to prevent a man in the middle attack

In order to prevent man in the middle attacks from happening, it is essential to make sure proper certificates and encryption are in place. Nevertheless, enforcing restrictive corporate and user policies is as important as educating users to use networks safely and to recognize the signs of a potential attack.

Prevention measures on the user side include, among others:

  • Using additional security methods whenever available, such as multi-factor authentication through one-time passwords. 
  • Keeping passwords up to date and unique to each application, as well as avoiding reusing old passwords. Here are some password security best practices.
  • Logging out of secure applications when they are not in use.
  • Paying attention to browser notifications alerting of unsecure websites.
  • Avoiding unprotected, public Wi-Fi connections; specially when dealing with sensitive data.
  • In case of doubt about the security of a connection, it is also advisable to use a safe or corporate VPN to redirect traffic through it, thus encrypting communications.

Mutual authentication

Mutual authentication plays an important role in preventing MiTM attacks. For instance, cryptographic protocols such as TLS enable the authentication of both parties using a public key infrastructure. The server and the client exchange certificates issued and verified by a trusted certificate authority to validate each other. If the identity of one of the parties cannot be verified or validated, the session ends.

As a best practice, applications should secure all pages using an up to date SSL certification from a reliable authority; not only those that require the user to log in.

How to detect a man in the middle attack

Tamper detection can be used to identify whether a communication has been altered. For instance, cryptographic hash functions and electronic signatures can be used as an additional layer of protection against tampering. Besides, examining changes in latency and response times can also help detect attacks in certain cases.

Furthermore, the use of advanced antivirus software in users’ equipment can also help detect and prevent some types of MiMT attack.

Share it on Social Media!

Managed services

Partial or Full System Administration Service for projects which require high availability and high performance.

DISCOVER MORE

Related articles

Cookies customization
Stackscale, Grupo Aire logo

By allowing cookies, you voluntarily agree to the processing of your data. This also includes, for a limited period of time, your consent in accordance with the Article 49 (1) (a) GDPR in regard to the processing of data outside the EEA, for instead, in the USA. In these countries, despite the careful selection and obligation of service providers, the European high level of data protection cannot be guaranteed.

In case of the data being transferred to the USA, there is, for instance, the risk of USA authorities processing that data for control and supervision purposes without having effective legal resources available or without being able to enforce all the rights of the interested party. You can revoke your consent at any moment.

Necessary Cookies

Necessary cookies help make a web page usable by activating basic functions such as the page navigation and the access to secure areas in the web page. The web page will not be able to work properly without these cookies. We inform you about the possibility to set up your browser in order to block or alert about these cookies, however, it is possible that certain areas of the web page do not work. These cookies do not store any personal data.

- moove_gdpr_popup

 

Analytical cookies

Analytical cookies allow its Editor to track and analyze the websites’ users behavior. The information collected through this type of cookie is used for measuring the activity on websites, applications or platforms, as well as for building user navigation profiles for said websites, application or platform, in order to implement improvements based on the analysis of data on the usage of the service by users.

Google Analytics: It registers a single identification used to generate statistical data about how the visitor uses the website. The data generated by the cookie about the usage of this website is generally transferred to a Google server in the USA and stored there by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

- _dc_gtm_UA-XXXXXXXX-X

- _gat_gtag_UA_XXXXXXXX_X

- _ga

- _gcl_au

- _gid