December 31, 2010

Man in the Middle and Redirection Attacks

We use to play a game where two people throw the ball to each other while the third person in the middle will have to intercept the ball then he changes the position with the person from whom he has intercepted the ball.

In the cyberworld, the game of keep-away gets a new twist; the two players have no idea the man in the middle (MITM) exists. It works like this:

  • Computer A initiates conversation with Computer B
  • Computer C intercepts that attempt and then relays the request to Computer B
  • Computer B responds, Computer C intercepts it, and returns that response to Computer A. 
While the computer C has intercepted the communication between A and B it may change the data in the communication or even redirect it to an entirely different new destination while computer A still thinks that it is receiving the information from computer B.

The process in which computer C does the task of intercepting the communication is through a process known as ARP poisoning - Address Resolution Protocol poisoning. It uses an approach called pick me up approach. When Computer A tries to communicate with B, ARP sends out a broadcast to the network devices asking 'who is B?'. But there is no authentication built into ARP and thus ARP has no way of determining whether the response (pick me) is really B or not. Computer C can tell ARP it is Computer B, after which ARP will begin directing future requests for Computer B to the MITM Computer C. Since there is no authentication it can really redirect all the communications to different recipient.

Another method that this can happen is DNS poisoning where, when it has vulnerabilities, DNS server redirects a page that has been requested to another site that has the full control by the hacker. For example we may try to request for a page that is a bank site but DNS poisoning may lead to a different look alike site and we may enter the details into it which the hacker may misuse easily. 

Another method of man in the middle redirection will be because of Hosts file manipulation. Every Windows-based computer has a local Hosts file which, like DNS, resolves IP address to domain names. However, entries in the local Hosts file typically override DNS and the Hosts file is generally more accessible to attackers - thus malicious Hosts file manipulation is common.

The best way to prevent from being the victim of a middle man is to be having good Internet Security program with latest updates. Checking the security settings and  keeping them to the optimum level, firewall should be turned on, Security updates has to be done in time. And updates of browser has to be done as and when available.


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



Twitter Delicious Facebook Digg Stumbleupon Favorites More