The technique of detecting network attacks of "man in the middle" class based on the transit traffic analysis
Abstract
The technique of detecting network attacks of "man in the middle" class based on the transit traffic analysis
Incoming article date: 08.09.2017The article is devoted to the problem of data protection from interception as a result of the "man in the middle" attacks. The proposed technique for detecting these attacks is based on the analysis of the headers of transit packets passing through the default gateway. Based on the data obtained, a table of correspondence between IP and MAC addresses is constructed, for which software provides up-to-date and reliable information. The addresses of packets passing through the gateway are compared with the records in this table and, in case of a mismatch and impossibility of confirming the correctness of addresses in the headers of the channel and network layers, it is concluded that there is an additional intermediate node in the network that appeared as a result of the default gateway substitution. The article presents approaches to software implementation of this technique, describes the packet analysis algorithm.
Keywords: local area network, man-in-the-middle, DHCP-spoofing, ARP-poisoning, traffic analysis, gateway, network address, packet, ARP-table