Article

Different flavours of Man-In-The-Middle attack, consequences and feasible solutions

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Man-In-The-Middle (MITM) attack is one of the primary techniques employed in computer based hacking. MITM attack can successfully invoke attacks such as Denial of service (DoS), DNS spoofing and Port stealing. MITM attack is particularly suitable in a LAN environment, Where it is typically performed through ARP poisoning. MITM attack of every kind has lot of surprising consequences in store for users such as, stealing online account userid, password, stealing of local ftp id, ssh or telnet session etc. This paper emphasizes on different types of MITM attacks, their consequences and feasible solutions under different circumstances giving users options to choose one from various solutions. ARP spoofing and its effect in a LAN environment is studied in detail to achieve the stated objective.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... In the existing literature, several works explain, demonstrate and propose the protection mechanisms against the Man-in-themiddle (MITM) attack. In [9], the author discusses different types of MITM attacks, its consequences and proposes some solutions against MITM attack, for example the use of ARP request packet to the gateway, monitoring ARP -a database, using static entry in layer-3 switch or in the gateway and restricting ICMP packet. Yogesh Joshi in [10], proposes another MITM prevention technique: It explains the use of the public key of the server's digital certificate, required for hashing the user password to prevent the MITM attack over secure socket layer. ...
... Before sending the data, the system always checks its ARP cache to deliver the data to specific MAC address. If ARP cache has wrong MAC address for a given IP address, then the data will be delivered to the mismatched MAC address [9]. In the MITM attack the attacker poisons the ARP cache with his own MAC address so that all the data is sent to his system. ...
... When the attacker performs MITM attack, his computer performs ARP poisoning which fool the victim's computer to believe that his MAC address is the address of the router. However, if we use a static ARP entry, the computer has the information that MAC address of the router is constant and does not vary and hence the computer ignores any false ARP packets that are sent by the attacker [9]. ...
... Serangan Man of the Middle (MITM) adalah metode hacking dimana seorang penyerang meracuni cache ARP dari dua host yang berkomunikasi untuk mencegat komunikasi mereka dengan tujuan menyebabkan eksploitasi host seperti pembajakan sesi, pencurian data sensitif, pencurian dan peniruan identitas login [8]. Serangan ini merupakan salah satu jenis serangan yang berbahaya karena serangan ini dapat terjadi pada berbagai media informasi seperti website, smartphone, dan bahkan surat. ...
... Static forensics dilakukan dengan cara menyalin duplikat yang dan mengambil isi memori, seperti file yang dihapus, riwayat penjelajahan web, fragmen file, koneksi jaringan, file yang dibuka, riwayat login pengguna, dll [8]. Data yang dikumpulkan tersebut merupakan representasi dari sistem yang statis dan sifatnya permanen, serta mudah dihilangkan dengan waktu yang singkat. ...
... Prior works collectively provide solid insights into challenges and opportunities, and motivate future researches in detecting and fingerprinting malware-infected devices that utilize encrypted DNS for stealthy communications. Category of topics covered by this survey List of references Standardized DNS encryption methodologies [3,32,36,44,47,50,54,61,63,66,71,117] Adoption and performance [11, 12, 23, 30, 31, 38, 42, 46, 48, 53, 55-57, 81, 91, 92, 101, 111, 116, 117, 119] Benefits of DNS encryption [20,33,69,89,101,119,123] Practical issues and security vulnerability [9, 18, 19, 29, 34, 39, 49, 58, 59, 62, 64, 65, 67, 70, 72, 76-78, 80, 87, 88, 95, 96, 98, 100, 104, 119] Malware misuse: command and control (C&C) communications [28,33,45,51,75,90,93,94,106,108,118,121] Malware misuse: data exfiltration (or tunneling) [2,5,18,37,52,60,86,97,109] Detecting and classifying encrypted DNS traffic [26,27,35,41,74,84,94,105,113,114,114] Profiling user activities by analyzing encrypted DNS analysis [59,80,82,85,102,103,112] relevant Internet standard documents (RFCs), technical reports from reputable organizations, and research papers that do not directly focus on encrypted DNS to cover certain key points around DNS encryption. Fig. 2 depicts key contribution and structure of this survey. ...
... This is because attackers need to establish TCP and TLS connections for each attempt of attack (i.e., malicious DNS lookup), leading to higher computing resources required to overwhelm a DNS server. Lastly, encrypting DNS communications between clients and resolvers also reduces the chance of man-in-the-middle (MITM) DNS spoofing attacks [89] that aim to mislead (i.e., redirect) clients towards malicious destination IP addresses by hijacking and manipulating DNS responses. As a use-case, authors of [69] developed a secured addressing mechanism using DoH for network time protocol (NTP) systems to prevent the off-path attacks [68] which redirect clients to malicious timing servers via manipulated DNS responses. ...
Preprint
Full-text available
The domain name system (DNS) that maps alphabetic names to numeric Internet Protocol (IP) addresses plays a foundational role for Internet communications. By default, DNS queries and responses are exchanged in unencrypted plaintext, and hence, can be read and/or hijacked by third parties. To protect user privacy, the networking community has proposed standard encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) for DNS communications, enabling clients to perform secure and private domain name lookups. We survey the DNS encryption literature published since 2016, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic. First, we provide an overview of various standards developed in the space of DNS encryption and their adoption status, performance, benefits, and security issues. Second, we highlight ways that various malware families can exploit DNS encryption to their advantage for botnet communications and/or data exfiltration. Third, we discuss existing inference methods for profiling normal patterns and/or detecting malicious encrypted DNS traffic. Several directions are presented to motivate future research in enhancing the performance and security of DNS encryption.
... Man-in-the-middles attacks (A1): This kind of active attack occurs when a malicious actor interferes in the communication between two authenticated entities (e.g., the claimant and verifier of the authentication protocol), intercepting, compromising, or even concealing messages exchanged to each other. The attacker may selectively alter the communicated data to masquerade as one or more of the legitimate entities involved [10]. ...
... The server waits for the following pieces that are supposed to come paired with the original messages, such as ICMP and SYN floods. Application layer attacks intend to crash the web server such as HTTP and SIP flood [10]. Whenever a botnet commits an attack, it is known as a Distributed Denial of Service, or DDoS attack. ...
Preprint
Full-text available
In this work, we defined an attack vector for networks utilizing the Internet of Medical Things (IoMT) devices and compute the probability distribution of IoMT security threats based on Markov chain and Common Vulnerability Scoring System (CVSS). IoMT is an emerging technology that improves patients' quality of life by permitting personalized e-health services without restrictions on time and site. The IoMT consists of embedded objects, sensors, and actuators that transmit and receive medical data. These Medical devices are vulnerable to different types of security threats, and thus, they pose a significant risk to patient's privacy and safety. Because security is a critical factor for successfully merging IoMT into pervasive healthcare systems, there is an urgent need for new security mechanisms to prevent threats on the IoMT edge network. Toward this direction, the first step is defining an attack vector that an attacker or unauthorized user can take advantage of to penetrate and tamper with medical data. In this article, we specify a threat model for the IoMT edge network. We identify any vulnerabilities or weaknesses within the IoMT network that allow unauthorized privileges and threats that can utilize these weaknesses to compromise the IoMT edge network. Finally, we compute the probability distribution of IoMT threats based on the Markov transition probability matrix.
... Protocol attacks work by consuming server resources via fragmented packets so that the server waits for the following pieces that are supposed to come paired with the original messages such as ICMP and SYN floods. Application layer attacks intend to crash the web server such as HTTP and SIP flood [34] . Whenever the attack is committed by a botnet, it is known as a Distributed Denial of Service, or DDoS attack. ...
... Once an attacker has access to a router, they can intercept and decrypt any data being transmitted [65] . Other types of MITM attacks include Denial of Service, spoofing, ARP Poisoning, and port stealing [34] . ...
Article
For this research, our primary goal is to define an attack surface for networks utilizing the IoT (Internet of Things) devices. The IoT consists of systems of integrated objects, computing devices, digital, or mechanical machines that are given the ability to transmit and receive the data over a network without the need for human interaction. Each of these devices can operate independently within the existing Internet infrastructure. Issues will continue to increase as devices become more prevalent and continuously evolve to counter newer threats and schemes. The attack surface of a network sums up all penetration points, otherwise known as attack vectors. An attacker or an unauthorized user can take advantage of these attack vectors to penetrate and change or extract data from the threat environment. For this research, we define a threat model that allows us to systematically analyze the security solutions to mitigate potential risks from the beginning of the design phase. By designing an IoT architecture and breaking it down into several zones, we focus on each zone to identify any vulnerability or weaknesses within a system that allows unauthorized privileges, as well as any attacks that can target that area. We also investigate the available IoT devices across several domains (e.g., wellness, industrial, home, etc.) to provide a 1:1 and 1:n mapping across devices, vulnerabilities, and potential security threats based on the subjective assessment.
... 2) Electromagnetic Interference [6] I, [7], [12], [25], [26], [40], [41], [57] C, I 90 ...
... Endangers the patient, affects the reliability and availability of the device 3. Man-in-the-middle [7], [12], [25], [26], [40], [41], [57] 1981 Prerequisites ...
Article
Full-text available
An intensive care unit (ICU) is dedicated to caring for patients whose medical condition places them at high risk of mortality or serious morbidity. ICU medical devices (ICUMDs) are used to closely monitor, stabilize, and treat ICU patients who are often unconscious and rely almost solely on ICUMDs. ICUMDs have become more autonomous, with a range of components, connectivity to external devices, and functionalities, opening the door to cyber-attacks. We present a taxonomy based on the functionality of 19 widely used ICUMDs, providing an explanation of each device’s medical role, properties, interactions, and how they impact each other’s security. We provide an extensive survey of 16 possible attacks aimed at ICUMDs and assess each device’s vulnerability. We also create an ecosystem graph describing the roles and interactions of the players of each ICU sub-department. For each device type we produce a unique attack flow diagram that presents the most vulnerable vectors and components within the ecosystem. Finally, we survey relevant security mechanisms and map their coverage for the attacks, identifying existing gaps. We show that current security mechanisms generally fail to provide protection, covering just 12.5-56.3% of the attacks against ICUMDs, leaving the devices and the patients vulnerable.
... Because of the attack on the secure network connections at the MITM attack, it was given to the rogue machine and it was redirected to the correct address by the applied algorithm [5]. The result of ARP poisoning in the LAN environment, the problem of MITM was eliminated by Nayak and Samaddar [6]. ...
... This is called the DHCP spoofing attack. An attacker can also set up a fake DNS server, leading to phishing attacks by redirecting client traffic to fake websites [5][6][12][13]. ...
... Making the protocol works flawlessly rather than focusing on security was the only concern at the time of designing these protocols. As a result, many vulnerabilities of these standard protocols, such as man in the middle attack using the vulnerability of ARP cache poisoning and through ICMP packet manipulation [8] , have been enlisted and documented up to date. Moreover, the technology lifetime for cyber-physical power system is around 15-20 years, whereas conventional IT infrastructure changes within 3-5 years [9]. ...
Preprint
Full-text available
This paper presents a real-time cyber-physical (CPS) testbed for power systems with different real attack scenarios on the synchrophasors-phasor measurement units (PMU). The testbed focuses on real-time cyber-security emulation with components including a digital real-time simulator, virtual machines (VM), a communication network emulator, and a package manipulation tool. The script-based VM deployment and the software-defined network emulation facilitate a highly-scalable cyber-physical testbed, which enables emulations of a real power system under different attack scenarios such as Address Resolution Protocol (ARP) poisoning attack, Man In The Middle (MITM) attack, False Data Injection Attack (FDIA), and Eavesdropping Attack. The common synchrophasor, IEEE C37.118.2 named pySynphasor has been implemented and analyzed for its security vulnerabilities. The paper also presented an interactive framework for injecting false data into a realistic system utilizing the pySynphasor module. The framework can dissect and reconstruct the C37.118.2 packets, which expands the potential of testing and developing PMU-based systems and their security in detail and benefits the power industry and academia. A case for the demonstration of the FDIA attack on the linear state estimation together with the bad-data detection procedure are presented as an example of the testbed capability.
... According to this scenario, while the two players are passing to each other, the opponent player tries to intercept the ball from the other players without being noticed. MITM attack is also known as "Bucket Brigade Attack", "Fire Brigade Attack", "Monkey in the Middle Attack", "TCP Hijacking" and "TCP session hijacking" [2]. In addition, MITM attacks are basically carried out in four ways as Deceptive Base Station Attacks, SSL / TLS based attacks, BGP based attacks and False Base Station [3]. ...
Article
Full-text available
Man in the Middle (MITM) attacks are aimed at seizing data between two nodes. The ARP Spoofing/Poisoning technique is a technique frequently used by attackers which allows MITM attacks to be carried out on local area networks (LANs). The attack exploits the vulnerabilities of ARP, which is a stateless protocol. This attack, which is carried out quite simply and quickly, can induce high level of threats on the targets. Therefore, it is crucial to be protected against this type of attack. Many medium-sized and large-sized enterprises are generally not exposed to this attack because of reliable network infrastructures and commercial software they utilized against MITM attacks. However, small-sized enterprises and individuals are frequently exposed to this threat. The purpose of this study is to design a simple, fast and reliable MITM attack detection tool for LAN users who are often exposed to the threat. In our study, we present the basic characteristics of the MITM Detection Tool, which detects ARP Spoofing/Poisoning attacks on clients. Based on the findings from the comprehensive review of related literature and tests performed on Kali Linux and Windows 7 OS machines, how MITM attacks can be performed and detected are described.
... Finally, the fourth class is modification attacks purpose to change data that is transferred during a communication session of two or more nodes. Network spoofing attack is a simple example of that attack [26]. ...
Article
Full-text available
The Internet of Things (IoT) has particular applications in public safety as well as other domains such as smart cities, health monitoring, smart homes and environments, smart industry, and various types of pervasive systems. The attacker can simply attack the IoT device in such applications, because it is randomly distributed, dynamic topology and not reliable due to energy and communication limitation. Moreover, the threat to confidentiality and security is increasing as the number of devices connected in IoT is increasing. As the numbers of devices connected to the Internet is expanding, the threat to confidentiality and security is increasing. The aim of this paper is design a typical network security model for cooperative virtual networks in the IoT era. This paper presents and discusses network security vulnerabilities, threats, attacks and risks in switches, firewalls and routers, in addition to a policy to mitigate those risks. The paper provides the fundamentals of secure networking system including firewall, router, AAA server and VLAN technology. It presents a novel security model to defense the network from internal and external attacks and threats in the IoT Era. A testbed is built to investigate the proposed model, and the performed assessment show an effective security performance with a good network performance.
... It results in maintaining control over data transferred among end-users. This attack is sometimes referred to as fire brigade attacks or bucket brigade attacks as it resembles a basket ball scenario in which two players are passing the ball and one player tries to seize them [24]. Here the malicious third party takes the communication channel control secretly between two end points. ...
... The short authentication strings used as passphrases need to match on both ends of the connection or else the connection will be terminated. This tries to proof against Man-In-The-Middle (MITM) attacks [18]. A more resilient form authentication involves the use of use of a preshared secret. ...
Article
Full-text available
One of the main goals of targeted attacks include data exfiltration. Attackers penetrate systems using various forms of attack vectors but the hurdle comes in exfiltrating the data. APT attackers even reside in a host for long periods of time whilst seeking the best option to exfiltrate data. Most data exfiltration techniques are prone to detection by intrusion detection system. Therefore, data exfiltration methodologies that generate little noise if any at all are attractive to attackers and can go undetected for long periods owing the low threshold of generated noise in form network traffic and system calls. In this paper, we present malware-free intrusion, an attack methodology which does not explicitly use malware to exfiltrate data. Our attack structure exploits the use of system services and resources not limited to RDP, PowerShell, Windows accessibility backdoor and DNS tunneling. Results show that it’s possible to exfiltrate data from vulnerable hosts using malware-free intrusion as an infection vector and DNS tunneling as a data exfiltration technique. We test the attack on both Windows and Linux system over different networks. Mitigation techniques are suggested based on traffic analysis captured from the established secure DNS tunnels on the network.
... MITM attacks can also serve as a precursor to other attacks, such as Distributed Denial of Service (DDoS) or Domain Name System (DNS) Spoofing. 7 As recent as 2015, Europol arrested individuals in suspicion of using passive MITM attacks to sniff out and intercept payment requests from emails. 8 Their alleged attacks resulted in nearly $6.8 million dollars in international fraud. ...
In this work, we outline a procedure for collecting and labeling Man-in-the-Middle (MITM) attack traffic. Our capture procedure allows for the collection of real-world representative data using a full-scale network environment. MITM attacks are typically performed with the purpose of intercepting information amongst two networked machines. This enables the attacker to gain access to otherwise confidential communications and potentially alter said communications maliciously. MITM attacks are still a very common attack that can be implemented with relative ease across a variety of network environments. Our work establishes experimental procedures for enacting three prevalent MITM attack variants through penetration testing. The process for data collection is defined, along with our approach on gathering real-world, representative data. We also present a novel labeling procedure based on the inherent behaviors of each MITM attack variant. Our work aims to address the challenges associated with collecting such data within a live production environment, as well as identify the impact MITM attacks have on traffic behavior. We also present a case study to provide some quantitative analysis regarding the data collected.
... This will consequently affect the data communication of the underlying network (E.g. the 5G network). The most common way of eliminating such issues is to encrypt communication with either symmetric or asymmetric algorithms, mutual authentication, using the OAuth2 protocol, and ensuring the isolation of compromised nodes and certificate pinning as discussed by [49]. ...
Article
Full-text available
Fog computing is a new paradigm that extends the Cloud platform model by providing computing resources on the edges of a network. It can be described as a cloud-like platform having similar data, computation, storage and application services, but is fundamentally different in that it is decentralized. In addition, Fog systems are capable of processing large amounts of data locally, operate on-premise, are fully portable, and can be installed on heterogeneous hardware. These features make the Fog platform highly suitable for time and location-sensitive applications. For example, Internet of Things (IoT) devices are required to quickly process a large amount of data. This wide range of functionality driven applications intensifies many security issues regarding data, virtualization, segregation, network, malware and monitoring. This paper surveys existing literature on Fog computing applications to identify common security gaps. Similar technologies like Edge computing, Cloudlets and Micro-data centres have also been included to provide a holistic review process. The majority of Fog applications are motivated by the desire for functionality and end-user requirements, while the security aspects are often ignored or considered as an afterthought. This paper also determines the impact of those security issues and possible solutions, providing future security-relevant directions to those responsible for designing, developing, and maintaining Fog systems.
... This is very important feature of this protocol. We assume that intruder has full access to the communication channel [11]. ...
Conference Paper
Signcryption is comparatively new approach in public key cryptography. Signcryption has the virtue to provide the services of digital signature and public key encryption in a single step. So when we compare it in terms of cost and ease of use, signcryption is better than “signature then encryption” (or encryption then signature) approach. So signcryption protocols are obvious choice for WTLS where authentication along with savings of computational overheads is always desired. In this paper we present a signcryption protocol for WTLS using bit commitment scheme with its security analysis.
... Such representation of criminal act controls the system from the security violation and produce better analyzed result. GopiNath Nayak et al. [5] have proposed MITM technique which is the primary technique engaged for hacking in computers. MITM (Man-In-The-Middle attack) cite the attacks effectively. ...
Article
Full-text available
In order to fulfill the organization goals and objectives, multilayered network architecture and various heterogeneous server environments are used. As the network architectures are complex, there is an increased demand in information security. So each organization needs to provide sufficient network security for the known and the unknown attacks according to its goals, requirements and objectives. Highly skilled hacker's everyday discovers the new threats in order to break the security bridge in each organization. Hence the organizations are forced to revise their security policies in order to handle the network vulnerabilities that are increasing day by day. So to handle this issue a proactive network strategy is proposed against network vulnerabilities such as fraud, information leakage, denial of service attack and so on. By this approach the network is scanned periodically and the threats are prioritized and evaluated accordingly.
... Man in the Middle (MitM) attack is a hacking methodology whereby an attacker poisoned the ARP caches of two communicating hosts to intercept their communication with the aim of causing host exploitation such as session hijacking, theft of sensitive data, port stealing and impersonation of login credential [8]. To launch the attack, the attacker first collect the MAC addresses of its victims by broadcasting an ARP request to the victims' entire network. ...
Conference Paper
Full-text available
Address Resolution Protocol (ARP) cache spoofing or poisoning is an OSI layer 2 attack that exploits the state- lessness vulnerability of the protocol to make network hosts susceptible to issues such as Man in the Middle attack, host impersonation, Denial of Service (DoS) and session hijacking. In this paper, a quantitative research approach is used to propose forensic tools for capturing evidences and mitigating ARP cache poisoning. The baseline approach is adopted to validate the proposed tools. The evidences captured before attack are compared against evidences captured when the network is under attack in order to ascertain the validity of the proposed tools in capturing ARP cache spoofing evidences. To mitigate the ARP poisoning attack, the security features DHCP Snooping and Dynamic ARP Inspection (DAI) are enabled and configured on a Cisco switch. The experimentation results showed the effectiveness of the proposed mitigation technique.
... Man in the Middle (MitM) attack is a hacking methodology whereby an attacker poisoned the ARP caches of two communicating hosts to intercept their communication with the aim of causing host exploitation such as session hijacking, theft of sensitive data, port stealing and impersonation of login credential [8]. To launch the attack, the attacker first collect the MAC addresses of its victims by broadcasting an ARP request to the victims' entire network. ...
Conference Paper
Full-text available
Address Resolution Protocol (ARP) cache spoofing or poisoning is an OSI layer 2 attack that exploits the state- lessness vulnerability of the protocol to make network hosts susceptible to issues such as Man in the Middle attack, host impersonation, Denial of Service (DoS) and session hijacking. In this paper, a quantitative research approach is used to propose forensic tools for capturing evidences and mitigating ARP cache poisoning. The baseline approach is adopted to validate the proposed tools. The evidences captured before attack are compared against evidences captured when the network is under attack in order to ascertain the validity of the proposed tools in capturing ARP cache spoofing evidences. To mitigate the ARP poisoning attack, the security features DHCP Snooping and Dynamic ARP Inspection (DAI) are enabled and configured on a Cisco switch. The experimentation results showed the effectiveness of the proposed mitigation technique.
... ARP poisoning can be avoided by using the shell script running at the backend which will keep a track of entries in the ARP cache table (maps IP address and MAC address) [30], [31]. The problem with this solution is that because of periodically generated ARP request there is a lot of traffic inside the network and the shell script will run only on Linux, not on windows. ...
Article
This paper presents a survey of man-in-the-middle (MIM) attacks in communication networks and methods of protection against them. In real time communication, the attack can in many situations be discovered by the use of timing information. The most common attacks occur due to Address Resolution Protocol (ARP) cache poisoning, DNS spoofing, session hijacking, and SSL hijacking.
... In this paper, we focus only on the data-falsification aspect of the Byzantine attack wherein one or more compromised nodes of the network send false information to the FC in order to deteriorate the inference performance of the network. A well known example of this attack is the man-in-the-middle attack [18] where, on one hand, the attacker collects data from the sensors whose authentication process is compromised by the attacker emulating as the FC, while, on the other hand, the attacker sends false information to the FC using the compromised sensors' identity. In summary, if the i th sensor's authentication is compromised, the attacker remains invisible to the network, accepts the true decision u i from the i th sensor and sends v i to the FC in order to deteriorate the inference performance. ...
Article
Full-text available
The problem of distributed inference with M-ary quantized data at the sensors is investigated in the presence of Byzantine attacks. We assume that the attacker does not have knowledge about either the true state of the phenomenon of interest, or the quantization thresholds used at the sensors. Therefore, the Byzantine nodes attack the inference network by modifying the quantized data to one of the M symbols in the quantization alphabet-set and transmitting the false symbol to the fusion center. In this paper, we find the optimal Byzantine attack that blinds any distributed inference network. As the quantization alphabet size increases, a tremendous improvement in the security performance of the distributed inference network is observed. We also investigate the problem of distributed inference in the presence of resource-constrained Byzantine attacks. In particular, we focus our attention on two problems: distributed detection and distributed estimation, when the Byzantine attacker employs a highly-symmetric attack. In both the frameworks, we find the optimal attack strategies employed by the attacker to maximally degrade the performance of the inference network. A reputation-based scheme for identifying malicious nodes is also presented as a network's strategy to mitigate the impact of Byzantine threats on the inference performance of the distributed sensor network.
... It involves eavesdropping on a connection, intruding into a connection, intercepting messages, and selectively modifying data. The problem has been extensively researched and there are many variations to the basic attack [7]. Different subsets of techniques have been offered to mitigate some specific subsections of the problem. ...
Conference Paper
Full-text available
In this paper we propose a method for detecting man-in-the-middle attacks using the timestamps of TCP packet headers. From these timestamps, the delays can be calculated and by comparing the mean of the delays in the current connection to data gathered from previous sessions it is possible to de-tect if the packets have unusually long delays. We show that in our small case study we can find and set a threshold pa-rameter that accurately detects man-in-the-middle attacks with a low probability of false positives. Thus, it may be used as a simple precautionary measure against malicious attacks. The method in its current form is limited to non-mobile systems, where the variations in the delay are fairly low and uniform.
... Gopi Nath Nayak and Shefalika Ghosh Samaddar [11] proposed two solutions in order to prevent ARP poisoning. The first one sends arping request messages to the default gateway at fixed time intervals. ...
Conference Paper
Full-text available
Address Resolution Protocol (ARP) poisoning is one of the most basic technique employed in computer hacking. ARP poisoning is used when a host is used to poison ARP cache of another host in order to send packets to some other destination than the intended one. This paper presents a feasible technique to detect and prevent the ARP poisoning by removing the multiple entries for the same MAC address or IP address from the ARP table using a secondary cache. This secondary cache contains the entries according to Internet Control Message Protocol (ICMP) responses. Since this technique prevents multiple entries for same IP address or MAC address, it also mitigates IP exhaustion problem. The secondary cache is maintained at every host which makes this technique distributed in nature, thereby prevents it from single point failure. Experimental results are also provided to support the proposal.
... The second consists of generating false responses to the name resolution requests made by the victim host. consists of a host that is placed in the middle of two others to capture and modify the messages that are being transmitted [5]; In this implementation the objective is to generate a DNS false resolution when the host victim is trying to navigate anywhere on the internet through a router, so that it will be redirected to a web service that runs on the host of the attacker [6]. ...
Article
Full-text available
This document describes some strategies to prevent man in the middle attack on a network wireless LAN 802.11n , to do this, the man in the middle attack is implemented in a LAN domestic network and each proposed strategy has been validated in order to register the results. Man in the middle attack consists of ARP poisoning and DNS spooling which aims to redirect victim's HTTP requests to a web server installed on the machine of the attacker, in this way, the victim would always be redirected to a site hosted on the web server of the attacker, disregarding to which domain the victim is pointing at; each strategy was validated and moderately successful results were found due to technical or administrative implications of each setting. Considering that for this article, an attack with particular characteristics was done, some strategies are expected not to work in all scenarios in which case it would be required to combine them or modify them.
... The term "Man-In-The-Middle" has been derived from basketball scenario where a player in the middle tries to intercept the ball while other two players try to pass it [34]. The same concept is derived in VANET, where MITM attacker jeopardize communication and modify messages among legitimate vehicles. ...
Article
Full-text available
Vehicular Ad-Hoc Network (VANET), a vital component of Intelligent Transportation Systems (ITS) technology, relies on communication between dynamically connected vehicles and static Road Side Units (RSU) to offer various applications (e.g., collision avoidance alerts, steep-curve warnings and infotainment). VANET has a massive potential to improve traffic efficiency, and road safety by exchanging critical information between nodes (vehicles and RSU), thus reducing the likelihood of traffic accidents. However, this communication between nodes is subject to a variety of attacks, such as Man-In-The-Middle (MITM) attacks which represent a major risk in VANET. It happens when a malicious node intercepts or tampers with messages exchanged between legitimate nodes. In this paper, we studied the impact on network performance of different strategies which attackers can adopt to launch MITM attacks in VANET, such as fleet or random strategies. In particular, we focus on three goals of MITM attacks—message delayed, message dropped and message tampered. The simulation results indicate that these attacks have a severe influence on the legitimate nodes in VANET as the network experience high number of compromised messages, high end-to-end delays and preeminent packet losses.
... Our goal is to intercept the server's communication sessions passing its network traffic through an external network capture host in the attacking network. It is an external man-in-the-middle attack (MITM) [18], where the server's network traffic, before routed to the common channel, is passing through a host outside the internal network using a dedicated tunneling protocol [14]. Of course we have administration access level to the attacker's network including both the router and the sniffer host. ...
Article
Full-text available
Modern enterprise infrastructures adopt multilayer network architectures and heterogeneous server environments in order to efficiently fulfill each organization's goals and objectives. These complex network architectures have resulted in increased demands of information security measures. Each organization needs to effectively deal with this major security concerns, forming a security policy according to its requirements and objectives. An efficient security policy must be proactive in order to provide sufficient defense layers against a variety of known and unknown attack classes and cases. This proactive approach is usually interpreted wrongly in only up-to-date software and hardware. Regular updates are necessary, although, not enough, because potential mis-configurations and design flaws cannot be located and patched, making the whole network vulnerable to attackers. In this paper we present how a comprehensive security level can be reached through extensive Penetration Tests (Ethical Hacking). We present a Penetration Test methodology and framework capable to expose possible exploitable vulnerabilities in every network layer. Additionally, we conducted an extensive analysis of a network penetration test case study against a network simulation lab setup, exposing common network mis-configurations and their security implications to the whole network and its users.
... However, existing systems are suffering from some limitations that prevent customers from achieving most out of the value of poverty alleviation loan. The major issues are: (i) the management system is centralized and deployed in single service mode, which slows down the efficiency of information exchanges for the loan; (ii) there is not an easy way to trace the data updating process and prevent data tampering (especially for the supervisor), since there are many roles in poverty alleviation loan and the business process is long; (iii) there is not an effective protection for the customer data privacy facing cyber attacks (man-in-the-middle attack [5], DoS attack, fraud, etc.). ...
... Diffie-Hellman Key-Exchange Protocol is used for sharing secret key between users when more than one attacker are present between sender and receiver [14].Compression is the process of reducing the number of bytes or bits needed to represent a given set of data. It helps in saving more data [15]. ...
... Literature also suggests the effect of MITM attack on Address Resolution Protocol (Mohsenian-Rad et al. 2014). A detailed survey of MITM attack, their methodology and effects can be seen in Jain, Jain, and Borade (2016) and Nayak and Samaddar (2010). Another threat to the smart grid network is Denial of Service attack (DoS). ...
Article
The technical improvements in modern power systems by the use of smart sensors, smart meters, multi-direction communication networks, and computers have given birth to the cyber-physical smart grid networks. Any attack on the grid is a threat to the grid's operation and the data collected from it. Therefore, the security of this diverse network is the primary concern. Two attacks on a smart grid network tested in this paper are: Denial of Service (DoS) and Man In The Middle (MITM). Remote monitoring of the smart meter under either of the attacks indicates load fluctuations on the consumer side. It is seen that the location of these fluctuations is not limited to the area under attack. The supplier has to bear the economic effects. This paper discusses the cyber, physical and monetary impact of different cyber-attacks on a smart meter. An experiment is conducted on a hardware setup connected to a constant load, and the findings are noted. The two attacks are then extended to an IEEE-30 bus system and their impact is studied using MATPOWER simulations. For the same experimental setup, a protection scheme is also tested. The protection scheme is divided based on the attack condition: pre-attack, under-attack and post-attack conditions. Cryptographic data security in the pre-attack conditions is explored using MATLAB simulations where a binary coded password scheme is devised and then extended for a smart grid system. Multi-level encryption methods are used to prevent data breaches during attacks. The importance of firewall and antivirus databases is also analyzed.
... The attack MTM is now getting more attention of the developers because as the developers working on to make their systems more secure on that point the attacker or the hackers are also got some more advancement in their work of hacking therefore, they have got more intelligent, therefore the encryption method is not safe as for the attack of MITM. In MITM [3] the attacker makes independent connections to form an online spying in which the attacker creates self-modifiable networks to the sufferers and dispatches communications between them [28] by ensuring them that they are talking straight to one another above secretive association, while on the other hand the attacker the entire discussion of those two communicator participants [25] .To overcome the above problem a solution has introduce which is an advance encryption standard (AES), with this algorithm [7] whenever the data will be forwarded from fog to cloud data will be encrypted with highest bit key size, this process causes that the attacker will face difficulty while getting access to the data from the current architecture [21]. ...
Article
In recent years a great number of sensors and devices have been increased with a heavy range of internet of things (IOT) due to extension of a great number of users. Therefore, due to a great number of users the privacy issue still remains in this technology, although data was being stored after encryption process. In this research, AES algorithm is used which is much more secure algorithm for encrypted communication and for security process. In this study, we have disclosed the security threads of fog and the typical attack, man-in-the-middle attack. Existing data protection mechanisms such as encryption have been failed in preventing data theft attacks, especially those committed by an insider to the cloud provider. We introduced the process of encryption using AES algorithm 512-bit to check how it works for fog. The new enhanced algorithm (AES-512 bit) uses input block size and key size of 512-bits which makes it more resistant to cryptanalysis with tolerated area with increased security. AES-512 will be suitable for applications with high security, throughput requirements and with less chip area constrains such as multimedia and satellite communication systems.
... Typically it is the most used method to launch a MiTM attack (Nayak, G., N., Samaddar, S., G., 2010 [43]). As documented by (Whalen, S., Engle, S., Romeo, D., 2001 [57]), this attack changes the corresponding of a MAC address and its legitimate IP associated. ...
Thesis
Full-text available
Internet is growing to connect all our equipments. However, security has not been a concern from its first start. As a consequence, well documented vulnerabilities still remain widely used by attackers because present in key-role mechanisms, by default in use on the systems. This project investigates the different vectors to perform a Man-in-The-Middle attack, and the possible defenses. Protocols from each and every vectors have been included in the project, in order for all areas to be covered. The method implied the use of a vulnerable protocol, its exploitation using the adapted strategy, the installation and configuration of the corresponding defence, and the testing of this defence: if it is actually behaving as expected. Differences in the attacks characteristics such as possibilities, range, and potential targets have been noted. The defenses implementation, their scalability, and their range have also been taken in consideration. The aims and objectives have been brought to the analysis of the vectors and attacking mechanisms. Their common points or differences, have been the concern. Same regarding the defenses: how the issue has been addressed in the past. It was found that attacks focus on the lack of security mechanisms in the key protocols used to perform routing or to provide information to systems and applications. While defenders answer to threats with authentication and signing mechanisms. Encryption has been addressed as a second phase, as it can build false hopes of security because of misconfiguration, or a bad implementation. Toolboxes are available and attacks are well documented, however protocols are still vulnerable and Man-in-The-Middle attacks remain present and widely used. Communications can be eavesdropped, systems can be impersonated, and this is known for long. The use of security elements into protocols design, setup or implementation can prevent most of the vectors if not all. This must of course be adapted to needs, as attacks have limited range, and defenses are limited to situations or architectures. As the project's roots come from external researches, there is an interest in the project: results and conclusions will help to understand the issues, and defenses involved in protocol design.
... In this attack, the traducer node which creeps towards a valid path, also attempts face sniff packets that flow across it [51]. The traducer must first be component of that path to execute Man-in-the-middle assault. ...
... One advantage of a reactive jammer is that it is harder to detect. 8.Man-in-the-middle-The man-in-the-middle attack [28], [29] is a form of active eavesdropping in which the attacker makes independent connections with the two or more victim nodes and intercepts message transmissions between them. It makes them believe that they are talking directly to each other over a private connection which is not the actual case as the whole communication process is manipulated by the attacker. ...
Article
Full-text available
A remote sensor networks is a recent advancement of technology of computer networks and electronics. Its sensing technology in combination with its processing power and wireless communication makes it productive for its abundant exploitation in the near future. A remote sensor arrangement generally, contains sensors, actuators, memory, a processor. The nodes in this network are not connected to a central node, and are self-managing. They are not connected to a specific network topology, practise multi-way routing, preserving the integrity and confidentiality of data, and are robust making them highly applicable for military applications. With development in such applications, security of data has become a crutial need keeping in mind that the end goal is to ensure that the touchy and confidential informationis also included. These networks are prone large number of disastrous attack or hacks such as Sybil, Wormhole, Sinkhole, etc. that threaten data flow or may have a motive to disrupt the entire network. The assault becomes even more viable when the attacker incorporates itself on the way of information flow. In this context, we analysis security aspects of the remote sensor networks like requirements, classificati ons, and type of attacks etc., in this survey paper.
... ARP spoofing is possible because; 1. Clients accept responses though they did not send a request. 2. Client trust responses without any form of verification [3] [6][7] [8]. There are two steps required for a successful ARP spoofing. ...
Conference Paper
Detecting and preventing network attacks are necessary for network solidity as any disruption in the network performance resulting from an attack can lead to loss of resources. Though ARP plays a vital role in successful local area network (LAN) communication, its vulnerabilities are used by attackers every day and by far have made it the leading point for refined LAN attacks such as; denial-of-service (DoS) and man-in-the-middle (MITM). This paper proposes a technique to mitigate an Address Resolution Protocol (ARP) spoofing-based Secure Socket Layer Stripping (SSL) in a Local Area Network (LAN) using both dynamic host configuration protocol (DHCP) snooping and ARP inspection technique. This mitigation technique includes a detection and prevention module. The detection module uses an analyzing tool and an algorithm that captures ARP packets. It identifies suspicious activity in the network, and once detected, a DHCP snooping, and ARP inspection technique is used to mitigate the attack to achieve a more secure network.
... However, existing systems are suffering from some limitations that prevent customers from achieving most out of the value of poverty alleviation loan. The major issues are: (i) the management system is centralized and deployed in single service mode, which slows down the efficiency of information exchanges for the loan; (ii) there is not an easy way to trace the data updating process and prevent data tampering (especially for the supervisor), since there are many roles in poverty alleviation loan and the business process is long; (iii) there is not an effective protection for the customer data privacy facing cyber attacks (man-in-the-middle attack [5], DoS attack, fraud, etc.). ...
Article
Full-text available
Current financial loan management systems are usually deployed in a single-service mode, also the transactions are not transparent and traceable to most of the roles participating in the process. Their data privacy protection mechanisms are not robust enough facing various cyber attacks. To overcome these challenges, we propose loan on blockchain (LoC), a novel financial loan management system based on smart contracts over permissioned blockchain Hyperledger Fabric. We use the Chinese poverty alleviation loan as the case study. We design a digital account model for the transfer of assets between centralized and decentralized ledgers; and propose locking and unlocking algorithms for smart contracts. We introduce digital signature and oracle to protect the data privacy. Performance evaluations on chaincode and unlocking codes show that our system is applicable in the real financial loan setting.
Article
Nowadays, the amount of data produced and stored in computing devices is increasing at an alarming rate. Tremendous amounts of critical and sensitive data are transmitted between all these devices. Thus, it is very imperative to guarantee the security of all these indispensable data. Cryptography is a commonly used technique to ensure data security. The fundamental objective of cryptography is to transmit data from the sender to the receiver in the most secure way, so that an attacker is unable to extract the original data content. This paper proposes a novel cryptosystem based on Deoxyribonucleic Acid (DNA) cryptography and finite automata theory. The system is made of three entities, namely a key pair generator, a sender and a receiver. The sender generates a 256-bit DNA based secret key based on the attributes of the receiver, and this key is used for data encryption. Then, a randomly generated Mealy machine is used for coding the DNA sequence, which makes the ciphertext more secure. The proposed scheme can protect the system against numerous security attacks, such as brute force attack, known plaintext attack, differential cryptanalysis attack, cipher text only attack, man-in-the-middle attack and phishing attack. The results and discussions show that the proposed scheme is efficient and secure than the existing schemes.
Article
The domain name system (DNS) that maps alphabetic names to numeric Internet Protocol (IP) addresses plays a foundational role in Internet communications. By default, DNS queries and responses are exchanged in unencrypted plaintext, and hence, can be read and/or hijacked by third parties. To protect user privacy, the networking community has proposed standard encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) for DNS communications, enabling clients to perform secure and private domain name lookups. We survey the DNS encryption literature published from 2016 to 2021, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic. First, we provide an overview of various standards developed in the space of DNS encryption and their adoption status, performance, benefits, and security issues. Second, we highlight ways that various malware families can exploit DNS encryption to their advantage for botnet communications and/or data exfiltration. Third, we discuss existing inference methods for profiling normal patterns and/or detecting malicious encrypted DNS traffic. Several directions are presented to motivate future research in enhancing the performance and security of DNS encryption.
Conference Paper
The Man-in-the-Middle (MITM) attack on ARP is presently a common attack and nuisance to the typical LAN environment. This type of MITM is brought to effect by ARP cache poisoning which is achieved using forged ARP packets. ARP poisoning is a mechanism in which a node poisons ARP cache table of another node forcing it to send packets to a destination other than the intended one. This paper presents a feasible solution to the ARP cache poisoning, removing inconsistencies from all ARP tables of all hosts in the network. This paper uses a centralized system and ARP Central Server (ACS) to manage ARP table entries in all hosts. All hosts in the network uses the ACS to validate their ARP table entries. The ACS validates and corrects the poisoned ARP entries of the attacked hosts and hence prevents ARP poisoning in the network.
Article
Compared with a wired network, a wireless network is not protected by the cable transmission medium. Information is broadcasted over the air and it can be intercepted by anyone within the transmission range. Even though the transmissions could potentially be protected by security authentication mechanisms, malicious users can still intercept the information by mimicking the characteristics of normal user or a legitimate access point. This scenario is referred as a man-in-the-middle (MITM) attack. In the MITM attack, the attackers can bypass the security mechanisms, intercept the unprotected transmission packets, and sniff the information. Because of several vulnerabilities in the IEEE 802.11 protocol, it is difficult to defend against a wireless MITM attack. In this paper, a received signal strength indicator (RSSI)-based detection mechanism for MITM attacks is proposed. RSSI information is an arbitrary integer that indicates the power level being received by the antenna. The random RSSI values are processed via a sliding window, yielding statistic information about the signal characteristics such as mean and standard deviation profiles. By analyzing those profiles, the detection mechanism can detect if a rogue access point, the key component of an MITM attack, is launched. Our proposed approach has been validated via hardware experimentation using Backtrack 5 tools and MATLAB software suite. Copyright © 2014 John Wiley & Sons, Ltd.
Article
The Man-In-The-Middle (MITM) attack is one of the most well known attacks in computer security, representing one of the biggest concerns for security professionals. MITM targets the actual data that flows between endpoints, and the confidentiality and integrity of the data itself. In this paper, we extensively review the literature on MITM to analyse and categorize the scope of MITM attacks, considering both a reference model, such as the open systems interconnection (OSI) model, as well as two specific widely used network technologies, i.e., GSM and UMTS. In particular, we classify MITM attacks based on several parameters, like location of an attacker in the network, nature of a communication channel, and impersonation techniques. Based on an impersonation techniques classification, we then provide execution steps for each MITM class. We survey existing countermeasures and discuss the comparison among them. Finally, based on our analysis, we propose a categorisation of MITM prevention mechanisms, and we identify some possible directions for future research.
Article
In this paper, we focus on attacks based on sniffing like MitM, and how to counter them from the network layer perspective. We've already developed an algorithm called pathfinder that allows us to forward segments from same packets via different paths. Doing so, we'll ensure that an attacker will not be able to get hands on the entire message being transmitted. So, in this paper, we'll start by recalling the first version of pathfinder algorithm, followed by an introduction to the newest release that allows us to handle hundreds of nodes in the same network, finally we'll put this algorithm under test by simulating a sniffing attack with Wireshark. The simulation proves, in addition to its efficiency to handle a great number of nodes, that this new way of routing will help facing a lot of attacks based on sniffing, and other type of attacks like DoS.
Article
Full-text available
Targeted attacks against network infrastructure are notoriously difficult to guard against. In the case of communication networks, such attacks can leave users vulnerable to censorship and surveillance, even when cryptography is used. Much of the existing work on network fault-tolerance focuses on random faults and does not apply to adversarial faults (attacks). Centralized networks have single points of failure by definition, leading to a growing popularity in decentralized architectures and protocols for greater fault-tolerance. However, centralized network structure can arise even when protocols are decentralized. Despite their decentralized protocols, the Internet and World-Wide Web have been shown both theoretically and historically to be highly susceptible to attack, in part due to emergent structural centralization. When single points of failure exist, they are potentially vulnerable to non-technological (i.e., coercive) attacks, suggesting the importance of a structural approach to attack-tolerance. We show how the assumption of partial trust transitivity, while more realistic than the assumption underlying webs of trust, can be used to quantify the effective redundancy of a network as a function of trust transitivity. We also prove that the effective redundancy of the wrap-around butterfly topology increases exponentially with trust transitivity and describe a novel concurrent multipath routing algorithm for constructing paths to utilize that redundancy. When portions of network structure can be dictated our results can be used to create scalable, attack-tolerant infrastructures. More generally, our results provide a theoretical formalism for evaluating the effects of network structure on adversarial fault-tolerance.
Conference Paper
Tenderfoot, presently clients who are utilizing the web however do not worry about the security issues. The information that is being transmitted on the system is not thought to be protected. There is such a variety of dangers like sniffing, ridiculing, phishing exits. With the assistance of a few devices like Wireshark, firewall and Microsoft disk operating framework, we can counter quantify the assaults. Here, in this paper we proposed an answer, which is greatly, improved the other proposed solutions based on the ARPWATCH and ARP central server (ACS).
Chapter
In this paper, the author proposes a methodology to perform comparison and validation of proposed intrusion detection and prevention systems (IDS/IPSs) designed for cyber-physical systems (CPSs). This approach consists of a software model of a CPS, as well as a variety of sample cyber attacks and a metric for comparing IDS/IPS performance. Securing critical infrastructure from cyber attack is an important step in reducing the likelihood of a system failure and the resulting losses of property and human life. Independent review is necessary in the scientific research process to determine the viability of proposed solutions, their reproducibility, and their usefulness when compared to other potential defenses. The design of the model and test attacks are complex enough to show their impacts, yet simplistic enough to allow researchers to easily reproduce them and to focus instead on the results of their testing.
Conference Paper
In this paper, we focus on enhancing security at Network Layer, where we've already developed two algorithms; pathfinder and Secure-Load-Sharing (SLS algorithm, with main purpose to find all possible paths with different intermediate nodes, to allow restraining attacks based on sniffing. But initially, we had a limitation of 12 nodes that pathfinder can handle. So with this paper, we propose a new version of these algorithms which will allow managing networks with more than hundreds of nodes. To validate the proposal, an implementation of the new algorithms was made. The simulation prove, in addition to its efficiency to handle a great number of nodes, that this new way of processing has no major impact on router performances, while calculating routes and dispatching messages.
Article
Full-text available
As defenders, it is extremely dangerous to be ignorant of how attackers can disrupt our systems. Without a good understanding of the relative ease of certain attacks, it's easy to adopt poor policies and procedures. A good example of this is the tendency for some organizations to use invalid or "self-signed" certifications for SSL, an approach that both trains the user to ignore certificate warnings displayed by the browser and leaves connections vulnerable to man in the middle attacks. In this article, we illustrate how easy such attacks are to execute; we hope this will serve as an incentive to adopt defenses that not only seem secure, but actually are!
Man-In-The-Middle Attacks to https protocol, IEEE, Security and Privacy Volume:7 Issue: 1 ate
  • F Callegati
  • W Cerroni
  • M Ramilli