5

We seem to spend a lot of time guarding against Man-In-The-Middle (MITM) attacks without discussing who we are actually guarding against.

This is important because if these individuals are unlikely to attack our website or the cost of them doing so is minimal then we can afford to spend less resources guarding against such attacks. For example: https://security.stackexchange.com/a/58729/5002

My understanding is that there are only two ways to intercept internet packets:

  1. Tap into the physical layer (i.e. the phone/cable lines outside my house or WiFi connection).
  2. Tap into ISP infrastructure (the hops between my computer and the destination website).

There are only 3 kinds of people who can carry out these taps:

  1. Anyone with technical knowledge to tap into the physical layer, or hack an ISP.
  2. Anyone with legal power to compel ISPs to intercept the packets.

This leads to three kinds of attackers:

  1. Rogue individuals.
  2. Corporate spies.
  3. The government.

The point I'm trying to make is that if your website is not financially or politically significant (i.e. Stackoverflow) then it is unlikely that MITM attacks are all that relevant. The most an attacker can do is vandalize the site, the probability that anyone would want to do so is low, and the cost of recovery is relatively low. Your average script kiddie might have the motivation, but lacks the technical ability to do so.

Am I missing anything? :)

Gili
  • 2,149
  • 3
  • 24
  • 41
  • 3
    You are missing: shared ethernet & wireless networks, DNS poisoning, and probably a few other things – paj28 May 27 '14 at 16:03
  • 2
    I have a friend who does MITM on his roommates on occasion on a shared wireless network. He says you can essentially tell other computers on the network that your computer is the router. He said the only ones that he hasn't been able to do it on are the Cisco routers that will send a packet telling the computer to switch back. – Travis Pessetto May 27 '14 at 16:10
  • If you have the time, then have a look at Moxie Marlinspikes video about [SSL-strip](http://www.thoughtcrime.org/software/sslstrip/). He talks about setting up a public WLAN hotspot for demonstration. – martinstoeckli May 27 '14 at 17:46
  • The most credible threat apart from IP hijacking would be some form of BGP hijacking or even implementing a hostile transit provider. These attacks are primarily limited to ISPs, but a sufficiently well connected attacker with control of BGP sessions for one or more networks might be able to route traffic in a way that enables a MITM attack. http://en.wikipedia.org/wiki/IP_hijacking#BGP_hijacking_and_transit-AS_problems – Stephanie May 27 '14 at 17:59

1 Answers1

8

There are many more ways of performing a MitM attack:

  • Direct DNS hijacking - spoofing a DNS response to the client's DNS request for the target server, to point to an IP controlled by the attacker.
  • The "Dan Kaminsky DNS attack" (for lack of a better name) - spoofing a DNS response to a client trying to find the nameserver for a host, allowing the attacker to pose as the real nameserver.
  • Address Resolution Protocol (ARP) poisoning - flooding the target with fake ARP broadcasts, to trick it into thinking that the target server's IP points to the MAC address of the attacker's machine on the network.
  • Route protocol spoofing and other attacks against protocols like BGP, RIP, OSPF, etc.
  • Partial MitM via packet injection attacks (e.g. sniffing the network, then spoofing a packet so that its source address is that of the server, and the TCP sequence numbers match the expected values)
  • Spoofing a response to a proxy auto-config script (if the client has one set) to cause it to point to an attacker-controlled proxy on the network.
  • Compromising the target server's account with their domain provider to redirect it to an attacker-controlled IP, which can then act as a transparent proxy.
  • Rogue WiFi APs with common or popular names (e.g. "Starbucks" or "BT-OpenZone")
  • WiFi hijacking with devices such as the Hak5 WiFi Pineapple, whereby it pretends to be any AP that a user device searches for (i.e. "are you there?" "sure, connect to me!")
  • Compromising home routers (the standard SOHO stuff is garbage) to inject into the routing table, add a static DNS entry, etc.
  • Utilising router features such as UPnP to mess with the routing table.

And probably a hundred more others that I can't think of right now...

Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • Coming back from the *what* to the *who*: are you saying that the level of sophistication needed to pull off a MITM attack is low and that even script kiddies could pull it off? Or are the attackers mostly limited to bigger fish like ISPs and the government? Also, don't MITM attacks usually position themselves closer to the client? As such, doesn't it make it harder for them to know which websites to target? – Gili May 28 '14 at 06:59
  • MitM is usually limited to people on the same local network as you, but that might be anyone if you're using open wifi (guy with a laptop at Starbucks), or are in a work environment (malicious insider). But anyone can do a MitM across the internet if they happen to luck out on poorly configured DNS servers or bad passwords on the registrar account. Also, the WiFi hijacking one is trivial - you can buy off-the-shelf devices that do it. – Polynomial May 30 '14 at 13:51
  • The above answer is correct. I would only add that, if the data is secured by properly configured/implemented TLS, the attacker would also need the private key from the server or any of the public keys in the client's trust chain (e.g. all the CAs). – ajl Mar 23 '20 at 22:40
  • @ajl that might be true, but that's not the question. Plus there are other ways to break TLS, like TLS interception. – schroeder Mar 23 '20 at 22:45
  • @schroeder, the question seems to have multiple directions: who has the ability, what networking techniques would they need to facilitate this, and the latter of these seemed to have the corollary of what would they need to successfully attack. Since the OP's motivation was determining how much effort to spend protecting against MITM, the security of the communication seems relevant. But if not, they can ignore. – ajl Mar 24 '20 at 14:54