d

Main menu













Search
 Create account
 Log in
Personal tools


Contents
 hide

(Top)


Definition


Examples
Toggle Examples subsection
o
Russia

o
China


References

Man-on-the-side attack
4 languages
 



 Article
 Talk
 Read
 Edit
 View history

Tools










From Wikipedia, the free encyclopedia
A man-on-the-side attack is a form of active attack in computer security similar to
a man-in-the-middle attack. Instead of completely controlling a network node as in a
man-in-the-middle attack, the attacker only has regular access to the communication
channel, which allows him to read the traffic and insert new messages, but not to modify
or delete messages sent by other participants. The attacker relies on a timing
advantage to make sure that the response he sends to the request of a victim arrives
before the legitimate response.
In real-world attacks, the response packet sent by the attacker can be used to
place malware on the victim's computer.[1] The need for a timing advantage makes the
attack difficult to execute, as it requires a privileged position in the network, for example
on the internet backbone.[2] Potentially, this class of attack may be performed within a
local network (assuming a privileged position), research has shown that it has been
successful within critical infrastructure.[3]
The 2013 global surveillance revelations revealed that the US National Security
Agency (NSA) widely uses a man-on-the-side attack to infect targets with malware
through its QUANTUM program.[1]
GitHub suffered such an attack in 2015.[4] The Russian Threat Group might have
suffered a similar attack in 2019.

Definition[edit]
Man-on-the-side has become a more familiarized term after Edward Snowden leaked
information about the NSA's quantum insert project. Man-on-the-side attack involves a
cyber-attacker in a conversation between two people or two parties who are
communicating online. The cyber-attacker is able to intercept and inject messages into
the communication between the two parties.[5] However, the cyber-attacker is not able to
remove any signals on communication channels. Man-on-the-side attack can be applied
to websites while retrieving online file downloads. The cyber-attacker is able to receive
signals and perform the attack through a satellite. As long as they have a satellite dish
in the place they're residing in, they will be able to read transmissions and receive
signals. Satellites tend to have high latency, which gives the cyber attacker enough time
to send their injected response to the victim before the actual response from one party
reaches the other through the satellite link.[5] Therefore, this is the reason why an
attacker relies on timing advantage.
The main difference between man-in-the-middle attack and man-on-the-side-attack is
that man-in-the-middle attackers are able to intercept and block messages and signals
from transmitting, whilst man-on-the-side attackers are able to intercept and inject
messages and signals before the other party receives a legitimate response.
Since man-on-the-side attack requires a strong timing advantage, a reason to why
people use Man-on-the-side attack may be explained through their psychological
behaviour. Faculty Member from the University of Stavanger, Maria Kjaerland,
conducted an exploration study to examine the relationship between different cyber
offences and psychological behaviours.[6] She concluded that web compromise is a
common activity for hackers attacking targets for challenge because it relies on
attackers having accurate timing in leaving messages victims. They can be easily
caught if the timing is incorrect and will not be able to make up for it. Therefore, this
challenge bears higher consequences amongst other types of attacks. [6] Therefore,
Similarly, man-on-the-side attack also require attackers to rely on having time
advantage in order to retrieving and modifying information from victims without them
realising or determining what the hacker has done.

Examples[edit]
Russia[edit]
In 2019, it was reported that man-on-the-side attack might have been conceived by the
Russian Threat Group through installing Malwares. When victim used the internet and
requested to download a file at a particular website, man-on-the-side attackers who
were present were aware that the victims were attempting to download the file. Since
the man-on-the-side attackers were not able to prohibit the victim from downloading the
file, what they could do was to intercept the server and send a signal to the victim
before the victim received a legitimate response, which was the requested download
file.[7] The attacker then intercepted and sent the victims a message that directed them to
a 302 error site, which led the victim to think that the file has been removed or it simply
cannot be downloaded. However, even though the victim would receive a legitimate
response from the website file download, since their servers were already
contaminated, they would not have been able to view the legitimate website and file
sine they received a so-called proper response from the attacking team. [8] At the 302
error site, the attacking team directed the victims to an alternative website to download
the files they wanted to, which the attacking team controlled and ran. When the victim
connected to the attacking team's server, not known to their knowledge, they would start
downloading the file because on the victim's screen, it shows that this site is working
and they can finally download the file.[9] However, the attacking team had already found
the original file from the legitimate website and modified the file to include pieces of
malwares and sent the file back to the victim. When the victim clicked on the link and
started downloading the file, they were already downloading a file that consisted of
malwares.
China[edit]
In 2015, the two GitHub repositories suffered a flooded attack due to man-on-the-side
attack. When a user outside of China attempts to browse a Chinese website, they are
required to pass the Chinese Internet Infrastructure before automatically being directed
to the website. The infrastructure allowed the request to the legitimate Chinese website
the user wanted to browse to without any modifications involved. The response came
back from the website, but as it passed through the Chinese Internet Infrastructure,
before it could get back to the user, the response had been modified. The modification
involved a malware that changed the Baidu analytics script from only
accessing Baidu to the user-making request to access the two GitHub Repositories as
they continued browse the website.[10] The user, who was able to continue browsing the
Chinese search engine, Baidu, were innocent since they were absolutely unaware of
the fact that their response involved an embedded malicious script, which would make a
request to access GitHub on the side.[10] This happened to all users outside of china who
was trying to seek access to a Chinese website, which resulted in extremely high
volumes of requests being made to the two GitHub Repositories. The enormous load
GitHub had to bear had caused the server to flood and was thus attacked.

References[edit]
1. ^ Jump up to:a b Gallagher, Ryan;  Greenwald, Glenn (12 March 2014). "How the NSA Plans
to Infect 'Millions' of Computers with Malware". The Intercept. Retrieved 15 March  2014.
2. ^ Schneier, Bruce (4 October 2013).  "Attacking Tor: how the NSA targets users' online
anonymity". The Guardian. Retrieved 15 March  2014.
3. ^ Maynard, Peter; McLaughlin, Kieran (1 May 2020). "Towards Understanding Man-on-the-
Side Attacks (MotS) in SCADA Networks".  17th International Conference on Security and
Cryptography (SECRYPT 2020).  arXiv:2004.14334.  Bibcode:2020arXiv200414334M.
4. ^ Hjelmvik, Erik (31 March 2015). "China's Man-on-the-Side Attack on
GitHub".  netresec.com. NetreseC. Retrieved 16 April  2020.
5. ^ Jump up to:a b Mushtaq, Maria et al. 2020. "WHISPER: A Tool For Run-Time Detection Of
Side-Channel Attacks." IEEE Access 8:83871-83900.
6. ^ Jump up to:a b Kjaerland, Maria. 2005. "A Classification Of Computer Security Incidents
Based On Reported Attack Data." Journal of Investigative Psychology and Offender Profiling
2(2):105-120.
7. ^ "Russian Threat Group May Have Devised a 'Man-on-the-Side' Attack". Dark Reading.
Retrieved 2020-11-14.
8. ^ "GitHub DDoS Attack Traces to China".  www.bankinfosecurity.com. Retrieved 2020-12-06.
9. ^ Mozur, Paul (2015-03-30).  "China Appears to Attack GitHub by Diverting Web Traffic
(Published 2015)". The New York Times. ISSN 0362-4331. Retrieved  2020-12-06.
10. ^ Jump up to:a b Albahar, Marwan. 2017. "Cyber Attacks And Terrorism: A Twenty-First
Century Conundrum." Science and Engineering Ethics 25(4):993-1008.
Category: 
  Computer network security
 This page was last edited on 20 May 2023, at 22:32 (UTC).
 Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may
apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered
trademark of the Wikimedia Foundation, Inc., a non-profit organization.
 Privacy policy

 About Wikipedia

 Disclaimers

 Contact Wikipedia

 Code of Conduct

 Mobile view

 Developers

 Statistics

 Cookie statement

Toggle limited content width