1

I have read this: Can I detect a MITM attack? My question is very simple, since a MITM attacker consumes double number of packets, is possible to identify him, isn't it?

just_learning
  • 211
  • 1
  • 7
  • Could you clarify your question? Are you a client or the operator of the network? In what way does a MitM attacker "consume double numer of packets"? How would you detect that? What exactly do you mean by "identify"? – Sjoerd Nov 16 '19 at 22:55
  • Supposing that a MITM attacker has managed to connect to my WIFI network, if somehow I identify from all the connected devices that a device consumes double number of packets than an average can't I result in that the device that does that also does MITM attack? – just_learning Nov 16 '19 at 23:07
  • 1
    First, there are many attack points other than your WiFi. Even for that, a WiFi MITM can use multiple addresses so each handles no more traffic than a legit device -- and different legit devices usually have wildly different traffic already and there is no 'average'. MITM can cause legit device(s) to retransmit so _they_ appear to have the abnormally high traffic. If the intercepted traffic is to and/or from the outside, instead of being strictly in the 'middle' it can relay to/from a different internet connection (_not_ your WiFi) which you can't see. – dave_thompson_085 Nov 17 '19 at 02:03
  • 1
    Packet latency probably follows some stastical distribution with mean and variance. Any statistically significant increase in packet latency should be an indicator of possible compromise even if everything appears normal. False positives might be a problem. – FranG Nov 17 '19 at 02:05
  • 1
    I think I know what you are asking. A mitm such as arpspoof would cause all layer 3 traffic to first pass through the attacker, and then get forwarded to the access point. Sniffing wireless traffic, you would see a lot of duplicate traffic. Technically you'd see ~3x the layer 2 frames, since the AP is contacted between each device. – multithr3at3d Nov 17 '19 at 18:31
  • @ multithr3at3d: Ok, is this an indication that this specific node is a MITM attacker? Is it enough to conclude in this assumption? – just_learning Nov 17 '19 at 18:37

1 Answers1

2

Technically, if the attacker is sitting between point (A: Your Device) and point (B: Server/ Another User/ ..etc). The attacker will be trying to sniff all the traffic between A and B in order to get access to sensitive information.

Now theoretically speaking, the attacker will be generating a larger amount of traffic since he is sniffing the traffic, maybe modifying it before relaying it to (B), on top of the network traffic it generates.

Now, just because of a attacker generates a large amount of traffic on your network, is not necessarily a correct indication that an MITM attack is taking place. However, the device in question may be a likely candidate. Even then, it is not a valid indication. Also, it is import to note that the attacker not necessarily needs to sniff of the traffic originating from (A), it is possible to regulate it, in this case, your hypothesis of double the traffic generating will fail.

I am not sure if you are understanding a MITM attack properly. Here is an Okayish guide that might be useful: https://www.wandera.com/mobile-security/man-in-the-middle/man-in-the-middle-attack/

4khil
  • 56
  • 4
  • 1
    I think I understand what MITM is. A second question. The MITM attacker that is connected to a WIFI is able to catch the whole traffic (of all the nodes connected to the access point)? Or the traffic between the WiFi access point and a specific node, each time? – just_learning Nov 17 '19 at 00:06
  • 1
    Theoretically, you can sniff traffic from any node in the network, or choose to sniff the traffic generated from one node. Realistically speaking it will depend on the resources available to perform the MITM and the number of nodes involved. – 4khil Nov 17 '19 at 00:20
  • Is there a program/application that can let me "see" in such a low level (in the 7 OSI layers), so that can I measure the packets received/sent from/to a specific node in order to see if the node is doing MITM attack to my network? – just_learning Nov 17 '19 at 00:28
  • 2
    WireShark. Use this guide as a starting point: https://www.commonlounge.com/discussion/2627e25558924f3fbb6e03f8f912a12d – 4khil Nov 17 '19 at 01:25
  • Note: There are a number of other tools too. But they might have a bit of a learning curve and is not as intuitive as Wireshark. – 4khil Nov 17 '19 at 01:26
  • I tested wireshark and I see that it shows the whole traffic in my wifi network, so to specific see a node, I must follow a specific IP?? Right? – just_learning Nov 17 '19 at 18:17
  • That's correct. You will have to filter traffic according to your requirements to avoid all the random/normal network traffic that is already present on your wifi network. – 4khil Nov 18 '19 at 19:18