I believe that I am the subject of a WAN based man in the middle attack.
In order to try and track down if this is actually happening, I need to understand the mechanism by such an attack can be mounted. My question is; How can a man in the middle attack be put in place on the WAN, where the man in the middle is more than one hop away from ones router.
In order to try and find out what is going on I am trying to optimise my learning curve to the issue at hand and would appreciate any assistance in this.
Regards
Richard
This sounds like a homework question and to be honest isnt really a question best suited for a forensic computing message board.
If you want my advice post on the Backtrack message boards…..
Why do you think you are a victim of a MITM attack? What "symptoms" are you seeing of this attack?
To help you better understand the problem you need to let us know what is actually happening.
anyone who has access to the path of your data traffic can act as man-in-the middle. Man-in-the-middle in essence is a proxying behavior, so think of the attacker as a proxy.
Why do I think I am the victim of a MITM attack?
1. My PC keeps sending itself packets. For example say my WAN address is 1.2.3.4 and my LAN address is A.B.C.D, Then why would A.B.C.D be sending packets to 1.2.3.4?
2. Clearing the arp cache causes a significant performance improvement, yet arp caches exist specifically to improve performance, but leaving my arp cache un-cleared does the opposite.
3. Periodically I appear to loose my internet connection, the router indicates all is well but the connection is dead, but simply switching the router off and on again restores the connection. This would be consistent with what would happen if the man in the middle switched of their equipment without resetting the MAC addresses.
Like I say I can't be absolutely sure what's going on, but the signs are there. If anyone knows of any other tell tale signs of a MITM attack, I would be most interested to hear about it.
anyone who has access to the path of your data traffic can act as man-in-the middle. Man-in-the-middle in essence is a proxying behavior, so think of the attacker as a proxy.
This much I understand. But my question is how does someone get access to said path, or control the routing such as to divert packets via their system? What would one have to look for to discover if packets are being diverted on the WAN side of things?
Regards
Richard
This sounds like a homework question and to be honest isnt really a question best suited for a forensic computing message board.
If you want my advice post on the Backtrack message boards…..
Why do you think you are a victim of a MITM attack? What "symptoms" are you seeing of this attack?
To help you better understand the problem you need to let us know what is actually happening.
Does not this issue fall under the umbrella of network forensics? I thought that malware forensics in general was all about tracking down hackers and gathering and preserving evidence to successfully prosecute hackers? Or am I missing something?
Regards
Richard
Grab yourself a copy of wireshark (free) and watch what happens.
Grab yourself a copy of wireshark (free) and watch what happens.
I have used Wireshark several times in the past and as I recall it only shows data on source and destination, and nothing about what goes on in between. Its the middle bit in 'the man in the middle attack' I'm concerned about.
Regards
Richard
Tracert your data and see what Ip's the packets touch.
Tracert your data and see what Ip's the packets touch.
This sounds nearer the mark. I have tried traceroute and found nothing. But cannot conclude anything about this as a man in the middle attack could in any case modify said packets. Results would only prove conclusive if something was found. If on the other hand nothing is found, then the result are inconclusive.
Regards
Richard