MITM attacks - how likely are they?

First, let's talk Border Gateway Protocol. The internet is composed of thousands of endpoints known as ASes (Autonomous Systems), and they route data with a protocol known as BGP (Border Gateway Protocol). In recent years the size of the BGP routing table has been exponentially increasing in size, breaking well over one 100,000 entries. Even with routing hardware increasing in power, it is barely able to keep the pace with the ever-expanding size of the BGP routing table.

The tricky part in our MITM scenario is that BGP implicitly trusts routes that other autonomous systems provide it, which means that, with enough spamming from an AS, any route can lead to any autonomous system. It is the most obvious way to MITM traffic, and it's not just theoretical - Defcon security convention's site was redirected to a security researcher's website in 2007 to demonstrate the attack. Youtube was down in several Asian countries when Pakistan censored the site and mistakenly declared its own (dead) route the best for several ASes outside of Pakistan.

A handful of academic groups collect BGP routing information from cooperating ASes to monitor BGP updates that change traffic paths. But without context, it can be difficult to distinguish a legitimate change from a malicious hijacking. Traffic paths change all the time to cope with natural disasters, company mergers, etc.

Next to discuss on the 'Global MITM attack vectors' list is Domain Name System (DNS).

Although ISC's Fine DNS server BIND has stood the test of time and come out relatively unscathed (as have Microsoft and Cisco's DNS offerings), a few notable vulnerabilities have been found that could potentially jeopardize all traffic using canonicalized names on the internet (i.e. practically all traffic).

I won't even bother discussing Dan Kaminsky's research into the DNS cache poisoning attack, as it has been beaten to death elsewhere, only to be awarded 'most overhyped bug ever' by Blackhat - Las Vegas. However, several other DNS bugs exist that have severely compromised internet security.

The Dynamic Update Zone Bug crashed DNS servers and had the potential to remotely compromise machines and DNS caches.

The Transaction Signatures Bug allowed for full remote root compromise of any server running BIND at the time the vulnerability was announced, obviously allowing DNS entries to be compromised.

Finally, we must discuss ARP Poisoning, 802.11q Retracing, STP-Trunk Hijacking, RIPv1 routing information injection and the slew of attacks for OSPF networks.

These attacks are the 'familiars' to a network admin for an independent company (rightfully so, considering these may be the only ones they have control over). Discussing the technical details of each of these attacks is slightly boring at this stage, as everyone who is familiar with basic information security or TCP has learned ARP Poisoning. The other attacks are likely a familiar face to many network admins or server security aficionados. If these are your concern, there are plenty of very good network defense utilities that exist, ranging from Free and Open Source utilities like Snort to the enterprise level software from Cisco and HP. Alternatively, many informative books cover these topics, too numerous to discuss, but several I've found helpful in the pursuit of network security include The Tao of Network Security Monitoring, Network Security Architectures, and the classic Network Warrior

In any case, I find it somewhat disturbing that people assume that these sort of attacks require ISP or Government level access. They require no more than the average CCIE has in networking knowledge and the appropriate tools (i.e. HPING and Netcat, not exactly theoretical tools). Stay vigilant if you want to stay secure.

Here's one MITM scenario that concerns me:

Let's say there's a big convention at a hotel. ACME Anvils and Terrific TNT are major competitors in the cartoon danger industry. Someone with a vested interest in their products, especially new ones in development, would seriously love to get his paws on their plans. We'll call him WC to protect his privacy.

WC checks in at Famous Hotel early in order to give him some time to set up. He discovers that the hotel has wifi access points called FamousHotel-1 through FamousHotel-5. So he sets up an access point and calls it FamousHotel-6 so it blends in to the landscape and bridges it to one of the other APs.

Now, the conventioneers start to check in. It just so happens that one of the biggest customers of both companies, we'll call him RR, checks in and gets a room near WC's. He sets up his laptop and starts exchanging emails with his suppliers.

WC is cackling maniacally! "My devious plan is working!", he exclaims. BOOM! CRASH! Simultaneously, he's hit by an anvil and a bundle of TNT. It seems the security teams of ACME Anvils, Terrific TNT, RR and Famous Hotel were working together anticipating this very attack.

Beep beep!

Edit:

How timely^*: Travel tip: Beware of airport wi-fi "honeypots"

^{* Well, it was timely that it just showed up in my RSS feed.}

It's entirely dependent on the situation. How much do you trust your ISP? How much do you know about your ISP's configuration? And how secure is your own setup?

Most "attacks" like this now are very likely with trojan malware intercepting keystrokes and passwords from files. Happens all the time, just that it doesn't get noticed or reported so much.

And how often does information get leaked inside the ISP level? When I worked for a small ISP, we were reselling another higher tier of access. So a person that dialed into us came into our network, and if you weren't talking to our web server or mail server, traffic went to a higher tier provider, and we have no idea who did what with your data in their network, or how trustworthy their admins were.

If you want to know how many spots someone could "potentially" see your traffic do a traceroute and you'll see as much as will respond at each routing point. That's assuming cloaked devices aren't in between some of those. And that those devices are each actually routers and not something masquerading as routers.

The thing is that you can't know how prevalent the attacks are. There aren't any regulations saying companies have to disclose attacks that are discovered unless your credit information is compromised. Most companies don't because it's embarrassing (or too much work). With the amount of malware floating out there, it's probably far more prevalent than you'd think, and even then the key is to have discovered the attack. When the malware works properly, most users wouldn't know when it happens. And the actual person-who-gets-miffed-and-snoops-traffic-at-a-provider scenario are the ones that companies don't report unless they have to.

Of course these ignore the scenarios where companies are compelled to keep records of your traffic and disclose them to government agencies without telling you. If you're in the US, thanks to the Patriot Act, libraries and ISP's can be compelled to record your data travels and emails and browsing history without telling you that they're collecting information on you.

In other words, there is no hard data on how prevalent MITM and interception attacks are on users, but there's evidence that would suggest it's higher than would be comfortable, and most users don't care enough to get that information.

The real question is "how much of my limited resourcing should I devote to MITM attacks instead of elsewhere?"

This depends a lot of the nature of the communications involved, and has no single answer. In my experience it's not a big risk relative to other security risks, but it's usually a cheap one to minimize (e.g.: an SSL certificate and and use HTTPS is often enough) so it is cheaper to fix than spend the time evaluating how much of a risk it could be.

Do you have a wireless access point at home? A proxy server at work?

Either of those ingress/egress points can be compromised without some vast government/isp conspiracy. It's also possible for components of an ISPs infrastructure to be compromised.

Do you use a web browser? It's pretty trivial to configure a browser to direct traffic to a man in the middle. There has been browser malware that re-routed certain banking and brokerage transactions using this method, particularly for small businesses with wire privileges.

Security is about risk management... there are two basic attributes to how you approach dealing with a risk: probability of occurrence and impact. The actual probability of you getting into a serious car accident is very low, but the impact to your personal safety is high, so you buckle your seatbelt and put your infant in a car seat.

When people get lazy and/or cheap, disaster is often the result. In the Gulf of Mexico, BP ignored all sorts of risk factors because they believed that they transferred risk to contractors, and figured that they had drilled enough wells without incident, so the probability of an incident was very low.

MitM attacks are pretty much exclusively encountered in the local network. Tapping into a connection across the internet requires either ISP or Government level access - and it's very rare that anyone with that level of resources is going after your data.

Once someone gets into your network, then you've got serious problems, but outside of that, you're probably fine.

@Craig: In your edit you have some misinformation. Wireless networking is not broadcast based. The data being transmitted in a wireless communication session (between wireless client and wireless access point) is not "broadcast" for everyone to hear. The wireless client associates with the AP and communication occurs between said client and AP. If you meant that the data is being broadcast because it's encapsulated in a radio signal that is "broadcasted", then yes it can be sniffed with very specific wireless equipment (RMON capable wireless adapters) and software tools. Wireless clients that haven't associated with the same AP have no mechanism to intercept or "hear" the wireless traffic except with the aforementioned equipment. Wireless communications in TCP\IP networks works essentially the same as for wired networks except for the transmission media: radio waves as opposed to physical wires. If WiFi traffic was broadcast for everyone to eavesdrop on it would have never left the drawing board.

That being said, I think that wireless networks pose a greater risk to MITM attacks because physical access is not required to access the wireless network to "inject" a rogue system in order to intercept the traffic.