In the real world game of keep-away, two people toss a ball back and forth while a third person - the man in the middle - tries to intercept the ball while its enroute. In the cyberworld, the game of keep-away gets a new twist; the two players have no idea the man in the middle (MITM) exists. It works like this:
- Computer A initiates conversation with Computer B
- Computer C intercepts that attempt and then relays the request to Computer B
- Computer B responds, Computer C intercepts it, and returns that response to Compuer A.
While Computer C has the intercepted communication, it can modify the communication or even redirect it to an entirely new destination (i.e. Computer D). Meanwhile, Computer A continues to believe that it is communicating only with Computer B.
So how does Computer C manage to interject itself between A and B? One way is through a process known as ARP poisoning. ARP, or Address Resolution Protocol, uses a 'pick me' approach to resolving computers on a network. When Computer A tries to communicate with B, ARP sends out a broadcast to the network devices asking 'who is B?'. But there is no authentication built into ARP and thus ARP has no way of determining whether the response (pick me) is really B or not. By exploiting this lack of authentication, Computer C can tell ARP it is Computer B, after which ARP will begin directing future requests for Computer B to the MITM Computer C.
DNS poisoning is another form of MITM attack. The DNS, or Domain Name System, resolves IP addresses to domain names. Vulnerabilities on the DNS server can allow attackers to insert malicious DNS information, for example directing all attempts to access a particular banking site to a lookalike site under the attacker's control.
Hosts file manipulation is another method used to redirect traffic. Every Windows-based computer has a local Hosts file which, like DNS, resolves IP address to domain names. However, entries in the local Hosts file typically override DNS and the Hosts file is generally more accessible to attackers - thus malicious Hosts file manipulation is common. Spybot's TeaTimer is an excellent option for protecting the Hosts file and preventing malicious modification.
