2.4.1 Man-in-the-Middle Attacks

There are two basic styles of man-in-the-middle attacks. The first is when an attacker sets up a centrally located station to monitor communications by posing as a valid pathway. The second is style is when the attacker sets up a centrally located station monitor and modifies the information.

The second type of attack involves an advanced man-in-the-middle strategy. Not only is it necessary to decode the certificate and decrypt the message, but it is re-encrypted and a new certificate is synthesized after the data is modified. This type of attack is sometimes referred to as a manipulation attack.

Man-in-the-Middle Defense

The assumption in a man-in-the-middle attack is that the attacker is going to assert themselves as the client in an effort to gather information from the server.

The primary defense is to identify the client using a digital certificate. The first thing to do is to ensure that a certificate authority, which issued the certificate, has signed the keys. This is the best way to secure World Wide Web (WWW) traffic. However, bad security by verifying certificate authorities is a vulnerability with this defense. There are times when a hardware device, such as a token, may actually be a strong addition to server defense by identifying the user and not just the machine.

It is theoretically possible to host the attack on a compromised server in order to gather information on clients. The most likely motive would be to develop multiple zombie computers. The zombie computers would serve to complete tasks assigned them by the attacker. Client-server applications are widely deployed over the Internet, and emerging networks require the establishment of the client's integrity. Certificates can help establish identity, but as indicated, if the certificate issuer is not diligent, this process can be corrupted.

When attacks are mounted against the client, they are particularly hard to detect. Normal anti-virus software may not be able to detect them. The most useful defense may be a software firewall or even a host-based intrusion detection system. The host-based intrusion detection system works by not only looking for malicious patterns in packet flow, but also by monitoring changes in the client's file system, such as extra directories, login accounts, scripts, or passwords.

Network based intrusion detection systems may also be able to detect malicious traffic. This is covered in detail in Chapter 11.