0

I would like to better understand what an attacker who has MitM control on a LAN can do to the victim. I understand that basically a MitM attack means you intercept traffic and can see the data [and also potentially modify].

Beyond this, can an attacker also use his MitM access to do denial of service attack? Can the attacker target specific ports? If so, how can I prevent the attacker for causing me a denial of service?

Can the attacker performing MitM on me control all my traffic, what can I do?

Can the attacker know which ports I (the victim) am using at any time and then target those or do something else based on this?

Eric G
  • 9,691
  • 4
  • 31
  • 58
Wine
  • 1
  • 1

3 Answers3

4

Can an attacker block traffic

Yes, an attacker can create, modify or even drop traffic.

Why can an attacker block traffic

As all the traffic flows through the attacker's machine they can drop traffic

How can I defend myself

Once you have a MITM attacker you cannot be sure that messages are not being dropped, you can try to detect this with messages that are sent to make sure the connection is live, but this only lets you detect an attack, not work around it when it is in progress.

jrtapsell
  • 3,169
  • 15
  • 30
  • Hi, thank you for the answers! Can you elaborate a bit first part? Any particular commands, tools to use, after setting up MITM? I am interested in selecting particular ports. – Wine Jan 01 '18 at 22:18
  • You would use iptables to drop, and to redirect to a script that did more complex manipulation – jrtapsell Jan 01 '18 at 22:36
1

MITM attacks usually presents themselves as an endpoint impersonating another (e.g. a router). For this to work, the impersonator has to act as it is the impersonatee. This makes the MITM transparent to the user.

To restore security features, such as confidentiality, you have to use a application layer security tools, such as TLS to encrypt your web communications. Since the impersonator cannot fake the server certificate (unless your computer is compromised, or you bypass security alerts), you would be able to detect this. Knowing the ports are irrelevant, as they are part of the payload, and thus are transmitted in clear in the packets (unless tunnelled).

As far as blocking communication goes, the impersonator can drop any packets it can control. Usually it doesn't do this, cause this is detectable (connection fails).

M'vy
  • 13,033
  • 3
  • 47
  • 69
0

A MitM attack can occur from layer 2 up of the TCP/IP stack. In the example you linked to, this is a ARP attack, but you could also intercept traffic at the application level (e.g., technically a web proxy would be a MitM).

MitM is a class of attacks with the explicit purpose of intercepting traffic, either to listen or modify. As @M'vy notes, technically when you have MitM you can choose what to do with the traffic you intercept, so you could drop the traffic which would be a DoS. However, there are other easier things to do on the local network for DoS (e.g., fake DHCP and point you to do bad gateway or DNS).

If you are on the local network and you want to see what services are running on a victim's machine you can do a port scan using something like nmap and see what services are running. If you want to see what a victim's outbound traffic is you can simply monitor traffic using something like wireshark or something like p0f. You don't need to have MitM to see what is inside the broadcast domain, MitM could possibly be noisy or detected so you wouldn't want to necessarily use it just to see what's going on.

In terms of defense, things like 802.1x and Network Admission Control can help. These techniques help to ensure you are only talking to legitimate endpoints and to keep unauthorized nodes off of the network.

Other technologies that can help prevent MitM attacks at layer 2 / 3:

  • DHCP Snooping - "The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes."
  • Dynamic ARP Inspection - "Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. The feature prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. "
  • IP Source Guard - "P Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings."

To prevent a DoS attack you would want to get the local attacker's node off or your network. You may be able to filter traffic once you know the MAC/IP of the attacker (assuming its not constantly changing) on your endpoint. At the network level you may be able to configure your switch/router to disable the port of the attacker based on bad behavior. You will need to read the docs for your specific equipment to see if its possible with what you have.

Eric G
  • 9,691
  • 4
  • 31
  • 58