Transport Layer Security Paper

A Man in the Middle (MitM) attack occurs where communication between two network devices is intercepted by an attacker. The attacker can then impersonate both communicating devices, relaying information between the two, such that the communicating network devices will not know that their communication has been compromised. This allows the attacker to read potentially confidential data only intended for the two devices communicating, or even change information as they see fit.

The challenge for an attacker is finding vulnerabilities in software or in web protocols in order to intercept communication between two devices. Common target protocols to exploit are the Address Resolution Protocol (ARP), and the Domain Name System (DNS). Steps have been taken to make these protocols more secure in order to prevent MitM attacks. Furthermore, the Transport Layer Security (TLS) (and its predecessor, Secure Sockets Layer (SSL)) mitigate the risk from MitM attacks over the internet.

One of the more targeted protocols to exploit is the Address Resolution Protocol (ARP). This protocol converts
If a host wants to look up an IP address for a matching domain, it passes its request to a DNS server. If the server does not have a matching IP/domain address binding, it sends a request to another DNS server. This process continues until a match is found. Upon finding a match, DNS servers will store IP/domain address bindings in a cache which can be used to resolve future queries without the requirement to make requests to other places. In a simple example of DNS spoofing attack, an attacker can send a DNS request from a client and then, while the client recursively requests other clients for the correct IP address, the attacker can spam illegitimate replies trying to match a 16-bit query ID (65536 possibilies). If the attacker get a reply with a matching query ID before the legitimate reply arrives, it gets accepted and cached by the now compromised