ISSN: 2277 – 9043
International Journal of Advanced Research in Computer Science and Electronics Engineering (IJARCSEE)
Comprehensive Analysis of Man in the Middle Attack and Propose Statistical Detection
Approach
Manish Pathak1, NIkhat Raza 2
Department of Computer Science & Engineering.
Bansal Inst. of Sc. & Technology , Bhopal, India
Abstract— Smart computing, fast internet, ease of network
availability, ethic of wireless communication, advancement in
micro electronics and routing protocols and standards forms
another world called virtual world where real actions are
taken place and planned. Sharing of the valuables was/are
the fundamental key issues. Networking (internet or Internet)
is inherently adopting the same concept. Last few decades has
motivated the open source development application and tools
without bothering of good or bad. Availability of hacking,
cracking and sniffing open source tools makes impulsive to
break the confidentiality of the individuals. Humans are
always want to break the integrity of the valuables of others
and tries to make unavailable to the authenticate persons.
Threat is all around there. Security analyst observed that the
probability of occurring intrusive action is higher in case of
insider attack rather than outsider one. Intrusion in an art and
science of entrance into the host/network without permission
i.e. illegitimately entrance [1]. Modern attacks are not only
break the confidentiality even they potentially harmful for the
system or network both. This article presents the
comprehensive analysis of the menace of Man in the Middle
Attack (Mitm), one of the most dangerous insider types of
attack in LAN or Ethernet. Man in the middle attack is types
of attack in which intruders sit between to communicator
parties and fools to both via sending false message to each
other on behalf of each other.
Keywords- ARP, IDS, Man in the middle, MitM, SYN Flood.
TCP.
I. INTRODUCTION
Smart computing, fast internet, ease of network availability,
ethic of wireless communication, advancement in micro
electronics and routing protocols and standards forms
another world called virtual world where real actions are
taken place and planned. Sharing of the valuables was/are
the fundamental key issues. Networking (internet or
Internet) is inherently adopting the same concept. Last few
decades has motivated the open source development
application and tools without bothering of good or bad.
Availability of hacking, cracking and sniffing open source
tools makes impulsive to break the confidentiality of the
individuals. Humans are always want to break the integrity
of the valuables of others and tries to make unavailable to
the authenticate persons. Threat is all around there.
Security analyst observed that the probability of occurring
intrusive action is higher in case of insider attack rather than
outsider one. Intrusion in an art and science of entrance into
All Rights Reserved © 2014 IJARCSEE
Volume 3, Issue 5, May 2014
the host/network without permission i.e. illegitimately
entrance [1]. Modern attacks are not only break the
confidentiality even they potentially harmful for the system
or network both. Various types of the attack has been
popular in intruders community now a day like DoS, SYN
Flood, Worm, botnet, buffer overflow, zero day attack and
Man in the middle attack (Mitm). There are many methods
have been applied to detect and prevent intrusion and assure
to preserve CIA (Confidentiality, Integrity and Availability)
[1]. One of those techniques (tools) is Intrusion Detection
System (IDS) or IPS (Intrusion Prevention System) or
combined IDPS. According to author [2], IDS has prolific to
identify the intrusion in both mode host based and network
based but lacked to automatically response inner intranet
attacks viz. man in the middle attack to the intrusive
activity. Hence author called IDS as after-the-fact
notification [3].
This article presents the comprehensive analysis of the
menace of Man in the Middle Attack (Mitm), one of the
most dangerous insider types of attack in LAN or Ethernet.
Man in the middle attack is types of attack in which
intruders sit between to communicator parties and fools to
both via sending false message to each other on behalf of
each other. More details of MITM has been explore in
section -2. This attack has more dangerous for Ethernet due
to absence of security provision on it. Secondly it can easily
be launch by various open source tools.
.
Rest of the paper organized as follow, section 2 discusses
about Man in the middle attack and their modes to exploit it
section 3 focuses on related work in the field MitM attack.
Section 4 explores the brief idea about proposed solution
and finally section 5 concludes the article.
II. M AN IN MIDDLE ATTACK
Author of [4] has depicted a new threat as a new security
challenge for the security analyst Man in the middle attack
(MitM). MitM also called specialized Ack-storm DoS
attacks, a modern family member of Denial of Service
(DoS) attacks abusing exquisite vulnerability in the
conventional TCP protocol specifications. Such type of
attack exploitation has spread using a very weak MitM
attacker, which can only snoop intermittently and spoof
packets (aWeakling in the Middle (WitM)). The attacks can
reach theoretically unlimited amplification; author has
269

International Journal of Advanced Research in Computer Science and Electronics Engineering (IJARCSEE)
estimated the amplification of over 400,000 against popular
web sites before aborting our trial attack. Ack storm DoS
attacks are practical able. Indeed DoS are apparently
unfolded and exploit immensely, particularly in view of
epidemic accessibility/availability of open wireless
networks, conquering to an intruder to penetrate WitM
potentially to millenary connections. Flooding attacks
conceivably initiated across the access network for instance
proxy server or web server using blocking URL, contrary
sites (web), or adjacent to the Internet backbone. Despite of
all flooding can also pursuit counter to Transport Layer
Security (TLS)/SSL connections same as to traditional (un-
secured) TCP connections, but fizzles against IPSec or link-
layer encrypted types of network connections.
Figure 1. shows the working of convention Man in the
Middle Attack (MitM)-
Fig. 1(a). Exploitation of Man in the Middle Attack Scenario
Fig.1(b). Exploitation of Man in the Middle Attack through ARP
Stages to perform TCP ACK storm attack:
According to author [4] following 3 steps are
followed by the attacker to launch this attack-
1. Pick up (at least) one packet from a TCP
connection between a client and a server.
2. Generate two packets, each addressed to one party
and with sender address of the other party (i.e.
spoofed). The packets must be inside the TCP
windows of both sides. The packets should have
content eat least one byte of data.
3. Send the packets to the client and the server at the
same time. The connection will then enter an
All Rights Reserved © 2014 IJARCSEE
ISSN: 2277 – 9043
Volume 3, Issue 5, May 2014
infinite loop of sending ack packets back and forth
between both parties
Effects of the TCP SYN +ACK STROM ATTACK
When utilized by a WitM attacker, Ack-storm DoS
attacks target traffic in the reception range of the attacker’s
wireless card. As such, the attack’s traffic bottleneck is the
local Internet infrastructure. Most of the non-encrypted
HTTP based traffic in the local network is handled by the
local proxy server. When the attack takes place, it overloads
the proxy, making it unavailable to the general public.
The attack may also target a specific web site. In order to
assure that the HTTP traffic to the site indeed reaches the
web site’s servers, and not handled by a proxy, the attacker
may target SSL-based traffic. SSL traffic is encrypted and is
handled by the web site’s own servers, and not by any other
entity. Among the web sites that use an encrypted
connection we can find banks, Email providers and other
sites containing personal information of the connecting
client.
III. RELATED WORK
Author of [2] has analyses the effectiveness of the
IDS. ]. In support of this author has presented a survey of
[5] and [6] in which the speedier nature of worms has been
calculated like hyper virulent worms can infect all
vulnerable nodes (host) within 15 minutes, whereas [4]
observed that even small worms can disrupt the all
vulnerable servers within 30 seconds. That means the
latency between raising an alarm to initiate preventive
activity is a sufficient time to intrusion to vanish whole
service. Hence author concludes that, there is urgent
necessity of automated responsive functionality in the
modern security systems such IDS/IPS. Intrusion
Prevention System (IPS) has embedded with such
functionality of automated healing to the intrusion activity
to sit inline and check every packet before reaching to host.
Author has integrated both IDS’s and IPS’s technique to get
full protection of both types of attack insider or outsider. Or
this author proposed virtual inline techniques in conjunction
with IDS/IPS to secure from intrusion especially defends
against MITM. In this method author has placed one NIDS
and one NIPS. And create a virtual path (sender ARP
+NIPS+Reciever) for the force to transmitted
incoming/outgoing packet, so that packet inspection has
been operated using NIPS. If there is any suspicious packet
founds, NIPS has raise the alarm and automatic healing by
sending TCP, RST enabled packet to sender.
Authors method it just an idea of collaborated the existing
intrusion detection technique by placing a virtual path
between them.
Per A. Hallgren and et. al. [7] has proposed a lightweight
authentication system to fight against min in the middle
attack. Author [7] has surveyed that modern internet has
driven in both modes insecure and secure via HTTP and
HTTPS. In HTTPS confidentiality and integrity has the
major concern while accessing data from internet, whereas
270

International Journal of Advanced Research in Computer Science and Electronics Engineering (IJARCSEE)
HTTP does not care about this. While accessing web server
data integrity is the major point to be considered. A biggest
threat is the replay attack such as Man in the Middle Attack.
Author has analyzed that HTTPS has not computationally
suitable for thin devices such and smart phone. Due to
heavy computation in HTTPS it greatly affects the end user
performance. Hence author has proposed an lightweight
authentication system to shield against man in the middle
attack. Author method has installed on server and client
both and preserves the integrity with less computational
overhead.
Authors proposed mechanism has used the idea of Message
Authentication Code (MAC) of cryptography to intact the
integrity of the data. Server GlassTube(author’s method) has
generated a random MAC and append it with the message to
transmitted to requested user, client GlassTube interface has
recalculate the MAC and compare it, if no changes that
means data is clear else damage (may be by the attacker
using MITM).
Author’s method is designed for smart phones
where battery and computational constraint as compared
normal computational device. While in other systems
HTTPS is more suitable for security because HTTPS use
SSL/TLS, asymmetric key for enciphering and HMAC
mechanism to assure confidentiality, integrity and
availability (CIA) of the information.
According to [8], dependences of today’s daily
utility to heavy computation on the internet has create a
huge security chaos. Author has discusses the seriousness of
new challenge threat to the network security i.e. ARP
spoofing or it’s derive form ―Man in the Middle Attack‖,
one of the most dangerous to spoil the integrity of the data
and most common security attack. Author has surveyed two
well known methods of preventing ARP spoofing-
additional hardware based method and static ARP table
concept. Hardware based method has some limitation not
easy to deploy everywhere and costly too. Whereas static
ARP table has good defense against ARP spoofing attack
but main problem is efficiency degradation, secondly in
moderns scenario DHCP is preferred method to reduces
manual logical to physical mapping it is more problematic
to use the concept of static approach. Author has used the
concept of agent to detect and mitigate the MITM attack
under ARP spoofing. To achieve this author has developed
two types of agent Client_agent and Master_Agent. Client
agent has been deployed on the monitoring machine (where
attack will be exploited) or machines, whereas master agent
has been deployed on other machines where attacks
detection and has been initiated by checking the ARP
routing table has been periodically monitored client agent
and reported it same to master agent periodically.
One main drawback is this to use of client agent its
deployment and installation on the each machines.
According to author [9] has talking about the Ethernet
security. One of the most modern LAN technology is
Ethernet due to its attractive varying data rates (10MBPS,
All Rights Reserved © 2014 IJARCSEE
ISSN: 2277 – 9043
Volume 3, Issue 5, May 2014
100MBPS, 1GBPS, 10GBPS) availability and ease of
deployment among home and corporate users. Another dark
side is the security aspect of the Ethernet such s flooding
(ARP), man in the middle attack etc.
In this article author has surveyed various threats related
to Ethernet technology like ARP spoofing, out of band,
ARP and DHCP poising, DoS (denial of service) and man in
the middle attack. Author has depicted that MITM is hard
using ARP but easy on STP (Spanning Tree Protocol). In
despite of this various open source tools are available to
exploit the MITM attack such as etterpcap (wireshark), cain
and Abel tools (for windows).
Whereas author [4] has deeply surveyed and experiment
about many web server and found that maximum research
work in latest cryptography (encipher/decipher) and its
technique embrace the concept of all-powerful Man In The
Middle (MitM) attacker standard. The MitM invader reins
the entire network traffic in the channels in underneath him,
along with the intelligence to watch it, and capable of block
the traffic (or packet) and customization of any chunks (or
whole message) passes from the channel. In opposed to the
majority of the existing work in context of Denial of Service
(DoS) attacks, examine the adversity that adequate weaker
attackers can cause, in order to focus on the most feasible
and realistic attacks. Alike intruders only capable of to
broadcast/send spoofed packets, or just have weaker
competence like – transmitting raw (fake) packets, or some
fixed length control packet (well-formed), or even simply
requesting packets such HTTP requests (e.g., puppets,
seeLam et al., 2006 [10]). In this article author has
investigated the Weakling In The Middle (WitM) attacker
miniature. In WitM an intruder can snoop packets while
transmitting, however with serious restrictions, primarily:
snooping for one way connection together with getting
small proportion of the information sent. These restrictions
are enthused by real-world wireless snooping capacity,
particularly in context of to open wireless networks or
connections. The discriminatory constraint is owing to the
verity that usually an intruder is solitary capable of snooping
to communication from the base station (access point), and
the small proportion is because of the weak reception next
to a remote snooper. Whereas open invitation for the
intruder is due to Open wireless networks connection are
fashionable are becoming more and more common, even if
it’s in restaurants, malls or even as a city-wide infrastructure
(Wong and Clement, 2007) [11].
Due to the modern technological advancement remote
networks (far furlong) are no more secure. For example
Attackers can make use of directional Yaagi antenna to get
clear or low powered signals efficiently from a remote point
having a distance up to 12 miles just worth of no cost or
spending few dollars without the help of any special
hardware (see Chandra, 2009or numerous web pages [12]).
In this article author [4], has investigate the TCP SYN
FLOOD also termed as ―TCP ACK STRORM‖, According
to author, Ack-Storm DoS Attacks’ that, by injecting (two
271

International Journal of Advanced Research in Computer Science and Electronics Engineering (IJARCSEE)
or more) packets into an existing TCP connection, cause a
long exchange of TCP packets between a client and a server,
terminated only by connection reset or packet losses. This
enables a WitM attacker to disrupt services to local and
regional junctions in the Internet infrastructure, as well as to
individual web sites and services. The Ack-storm behavior
of TCP has been mentioned before, in Joncheray (1995) and
Wu et al. (2007), as a side effect of TCP hijacking attacks,
and thus as something to be minimized and prevented.
IV. PROPOSED SOLUTION
Before presenting the proposed detection system following
problems has been identify from base paper [4]-
In the article [4] presented by author has contributed in
following points-
1. Author proposed the WitM attack model and
demonstrates how a WitM attacker can perform
DoS attacks.
2. They present the Ack-storm DoS attacks. These are
powerful attacks, requiring low resources (low
probability to intercept packets from the network,
low bandwidth requirements) from the attacker and
providing the highest amplification factor
measured until today.
3. And present Effective Amplification, a better
measure of the effectiveness of attacks compare to
traditional amplification methods.
4. The Ack-storm DoS attacks demonstrate an
advantage of the use of IPSec over the use of
TLS/SSL. SSL connections are vulnerable to the
attacks, and even help the attacker target the
servers and not the web proxy. IPSec, on the other
hand, is immune to the attack, as it does not reveal
TCP connection details to an eavesdropper
attacker.
Proposed Work:
Proposed work is closely related to the article [1], in which
author presented and evaluated the impact of the SYN flood
and DoS attack using IPERF tool.
This proposed work is extends following point as research
contribution towards network security concern-
1. Measurement and Detection of DDoS and UDP
Flood attack
2. Detection of DoS and SYN Flood Attack in
android Device network.
3. Measurement of WITM model in Android enabled
devices.
4. Trying new tools viz NMAP, ETTERPCAP and
Hashdostester or HPING3 for detecting and
attacking the scenario.
All Rights Reserved © 2014 IJARCSEE
ISSN: 2277 – 9043
Volume 3, Issue 5, May 2014
5. Developing a behavioral based solution to protect
from all such harmful attack.
V. CONCLUSION
Exponential growth of computers and communication brings
new types of threat to the user and their information. LAN
security is always major concern due to absence security
provisions in Ethernet. In this article the most dangerous
insider threat has been explore i.e. Man in the Middle Attack.
Article has presets a comprehensive literature survey in the
field of Man in the middle Attack with their existing solution
and their effects. Weakling MitM is another danger to snoop
the packets (or traffic) illegitimately. This article presents a
novel statistical approach to detect and prevent MitM. Future
work is to make it operationable with assuring low cost and
high efficiency.
REFERENCES
[1] Rathore, J.S. , Saurav, P. and Verma, B. ―AgentOuro: A Novelty
Based Intrusion Detection and Prevention System‖, IEEE, Fourth
International Conference on Computational Intelligence and
Communication Networks (CICN), pp. 695-699, 2012.
[2] Zheng Wu, Debao Xiao, Hui Xu, Xi Peng and Xin Zhuang ―Virtual
Inline: A Technique of Combining IDS and IPS Together in Response
Intrusion‖, IEEE, First International Workshop on Education
Technology and Computer Science, 2009.
[3] Top Layer Networks Inc., ―How to Properly Evaluate Network
Intrusion Prevention Systems (IPS)‖, http://www.toplayer.com, 200.
[4] Raz Abramov and Amir Herzberg ―TCP Ack storm DoS attacks‖,
Elsevier Science Direct, computers & security 33 (2013) 12-27, 2013.
[5] N. C. Weaver, ―Warhol Worms: The Potential for Very Fast Internet
Plagues‖, http://www.cs.berkeley.edu/nweaver/warhol.html, 2001.
[6] G. G. Staniford, S. and R. Jonkman, ―Flash Worms: Thirty Seconds
to Infect the Internet‖, http://www.silicondefense.com/flash/, 2002.
[7] Per A. Hallgren, Daniel T. Mauritzso and Andrei Sabelfeld
―GlassTube- A Lightweight Approach to Web Application Integrity‖,
ACM, PLAS’13, June 20, 2013, Seattle, WA, USA, 2013.
[8] Seungpyo Hong, Myeungjin Oh and Sangjun Lee ―Design and
implementation of an efficient defense mechanism against ARP
spoofing attacks using AES and RSA‖, Elsevier Science Direct,
Mathematical and Computer Modelling 58 (2013) 254–260, 2013.
[9] Timo Kiravuo, Mikko S¨arel¨a, Jukka Manner ―A Survey of Ethernet
LAN Security‖, IEEE Communications Surveys & Tutorials,
Accepted For Publication, 2013.
[10] Lam VT, Antonatos S, Akritidis P, Anagnostakis KG. Puppetnets:
misusing web browsers as a distributed attack infrastructure. In:
SIGSAC: 13th ACM conference on Computer and Communications
Security. ACM SIGSAC; 2006.
[11] Wong M, Clement A. Sharing wireless internet in urban
neighbourhoods. In: Steinfield C, Pentland BT, Ackerman M,
Contractor N, editors. Communities and technologies 2007. London:
Springer, ISBN 978-1-84628-905-7; 2007. p. 275e94.
URL:http://dx.doi.org/10.1007/978-1-84628-905-7_15; 200.
[12] Chandra P. How to make a wifi antenna out of a Pringles
can.makeuseof.com. URL:http://www.makeuseof.com/tag/how-to-
make-a-wifi-antenna-out-of-a-pringles-can-nb/; 2009.
272