Man-in-the-middle attack Principle

Man-in-the-middle attack Principle

Man-in-the-MiddleAttack (MITM attack) is an "indirect" intrusion attack, this attack mode virtualizes a computer controlled by intruders into two communication computers connected to the network. This computer is called a "man-in-the-middle ".
Two common methods for man-in-the-middle attacks: ARP spoofing and DNS Spoofing
1. DNS Spoofing
The target sends the DNS request to the attacker. Then, the attacker spoofs the DNS response and replaces the correct IP address with another IP address. Then, you log on to the IP address specified by the attacker, the attacker has long arranged a forged website, such as a bank website, in this IP address to defraud users of entering the information they want, such as their bank accounts and passwords, this can be seen as a type of phishing attack. For individual users, to prevent DNS hijacking, do not click unknown connections, do not go to unknown websites, or perform online transactions on small websites, the most important thing is to remember the domain name you want to go to the website. Of course, you can also write down the IP addresses of websites that you often go to that involve submitting confidential information, enter an IP address to log on.

2. ARP Spoofing
In a TCP/IP network environment, the route table defines how an IP packet goes. However, when an IP packet reaches the network, which machine responds to this IP packet is identified by the hardware mac address contained in this IP packet. That is to say, only machines with the same hardware mac address as the hardware mac address in the IP packet will respond to this IP packet, because in the network, each host will send an IP packet, therefore, there is an arp --> hardware mac conversion table in the memory of each host. It is usually a dynamic conversion table (this arp table can be manually added with static entries ). That is to say, the corresponding table will be refreshed by the host after a certain interval. This interval is the timeout time of ARP cache. Generally, before the host sends an IP packet, it needs to find the hardware mac address corresponding to the IP packet in the conversion table. If the IP packet is not found, the host sends an ARP broadcast packet, the host refreshes its ARP cache. Then the IP package is sent out.

Common methods to prevent MITM attacks

1. encrypt some confidential information before transmission, so that it is difficult to crack even if it is intercepted by a "man-in-the-middle.
2. Detect Device or IP address exceptions. If you have never used a device or IP address to access the system before.
3. device or IP Frequency Detection: for example, a single device or IP address simultaneously accesses a large number of user accounts.

3. for out-of-band authentication, the specific process is: the system performs real-time automatic call back, sends the second PIN code to SMS (SMS gateway), and then the SMS gateway sends it to the user. After the user receives the code, then, send the secondary PIN code to the SMS gateway to check whether it is a real user.