Man in the Middle Attack: What is it And How to Prevent it From Happening?

The internet boom of the modern century has led to an unimaginable level of digital expansion. Back in 1995, only 1% of the world had internet connectivity. Today that number stands at over 40%. However, with this surge in interconnectedness, comes the added risk of security breach and leak of data.

When the internet was first conceptualized, few could envision the sheer scope of its use. Thus, security was never at the priority of its design. The Domain Name Server (DNS) was built for functionality and, to this day, remains the most efficient method for connecting website names to their IP address via queried searches. But the lack of DNS security makes it easy for malicious hackers to exploit your servers and steal sensitive information. One of the ways to do it is via Man in the Middle (MITM) attack.

What is Man in the Middle attack?
Man in the Middle attack in computer security, is the method by which hackers can intercept data that is being transferred between two parties and thereby be privy to sensitive information. For example, if two people, A and B wish to communicate, B may request A to send a public key. However, if unbeknownst to A, C somehow gets hold of this key, he can listen in on A and B’s messages without each of them knowing.

MITM may be passive in nature, where the hacker only listens to the conversation without changing the messages to gather intel, or active, where the hacker may change the messages en route and send erroneous information to either A or B, or both.

There are several ways to execute this type of attack. Let us take a look at some of them, as well some defense mechanisms.

ARP Cache Poisoning
ARP Cache Poisoning is one of the simplest methods of eavesdropping on a network. The ARP protocol was created to communicate between layers in the OSI model and retrieve of the MAC Address of the target device. In simple terms, an ARP request would ask to match the MAC address of the target IP from all devices in a network. The ARP reply would send the MAC to the source device and data transfer could begin. However, since ARP has no way to secure this reply, malicious hosts can force the source device to update their ARP cache with the MAC Address of third party devices. Thus, an external member could receive the data packets without the source or target devices being any wiser.

How to Defend this?
Since ARP is only used on local networks, hackers must first penetrate the network to use this method. Thus, securing the LAN and bolstering DNS security goes a long way in preventing these attacks. Hard coding the cache and monitoring the cache with a third-party program that can flag suspicious activity can also be used.

DNS Spoofing
Building on ARP Cache Poisoning, DNS spoofing attempts to poison the DNS Cache and redirect traffic to malicious servers. DNS works by linking a web domain name to its IP Address retrieved from a database. If a hacker can poison this database, they can redirect any popular website name to retrieve information from their own server. Thus, when the user communicates with this server, it is actually sending data to the hacker who can then redirect the data to the correct server after having saved a copy of the data.

Defense Tips
DNS Spoofing is one of the hardest attacks to defend against. Typically, you will not know the database has been compromised, and defense is mainly preventive more than active in nature. Secure your internal machines and invest in DNS security software to prevent intrusion. DNNSEC is usually a good choice.