Jump to content

Man-on-the-side attack

From Wikipedia, the free encyclopedia

A man-on-the-side attack is a form of active attack in computer security similar to a man-in-the-middle attack. Instead of completely controlling a network node as in a man-in-the-middle attack, the attacker only has regular access to the communication channel, which allows him to read the traffic and insert new messages, but not to modify or delete messages sent by other participants. The attacker relies on a timing advantage to make sure that the response he sends to the request of a victim arrives before the legitimate response.

In real-world attacks, the response packet sent by the attacker can be used to place malware on the victim's computer.[1] The need for a timing advantage makes the attack difficult to execute, as it requires a privileged position in the network, for example on the internet backbone.[2] Potentially, this class of attack may be performed within a local network (assuming a privileged position), research has shown that it has been successful within critical infrastructure.[3]

The 2013 global surveillance revelations revealed that the US National Security Agency (NSA) widely uses a man-on-the-side attack to infect targets with malware through its QUANTUM program.[1]

GitHub suffered such an attack in 2015.[4] The Russian Threat Group might have suffered a similar attack in 2019.


Man-on-the-side has become a more familiarized term after Edward Snowden leaked information about the NSA's quantum insert project. Man-on-the-side attack involves a cyber-attacker in a conversation between two people or two parties who are communicating online. The cyber-attacker is able to intercept and inject messages into the communication between the two parties.[5] However, the cyber-attacker is not able to remove any signals on communication channels. Man-on-the-side attack can be applied to websites while retrieving online file downloads. The cyber-attacker is able to receive signals and perform the attack through a satellite. As long as they have a satellite dish in the place they're residing in, they will be able to read transmissions and receive signals. Satellites tend to have high latency, which gives the cyber attacker enough time to send their injected response to the victim before the actual response from one party reaches the other through the satellite link.[5] Therefore, this is the reason why an attacker relies on timing advantage.

The main difference between man-in-the-middle attack and man-on-the-side-attack is that man-in-the-middle attackers are able to intercept and block messages and signals from transmitting, whilst man-on-the-side attackers are able to intercept and inject messages and signals before the other party receives a legitimate response.

Since man-on-the-side attack requires a strong timing advantage, a reason to why people use Man-on-the-side attack may be explained through their psychological behaviour. Faculty Member from the University of Stavanger, Maria Kjaerland, conducted an exploration study to examine the relationship between different cyber offences and psychological behaviours.[6] She concluded that web compromise is a common activity for hackers attacking targets for challenge because it relies on attackers having accurate timing in leaving messages victims. They can be easily caught if the timing is incorrect and will not be able to make up for it. Therefore, this challenge bears higher consequences amongst other types of attacks.[6] Therefore,  Similarly, man-on-the-side attack also require attackers to rely on having time advantage in order to retrieving and modifying information from victims without them realising or determining what the hacker has done.



In 2019, it was reported that man-on-the-side attack might have been conceived by the Russian Threat Group through installing Malwares. When victim used the internet and requested to download a file at a particular website, man-on-the-side attackers who were present were aware that the victims were attempting to download the file. Since the man-on-the-side attackers were not able to prohibit the victim from downloading the file, what they could do was to intercept the server and send a signal to the victim before the victim received a legitimate response, which was the requested download file.[7] The attacker then intercepted and sent the victims a message that directed them to a 302 error site, which led the victim to think that the file has been removed or it simply cannot be downloaded. However, even though the victim would receive a legitimate response from the website file download, since their servers were already contaminated, they would not have been able to view the legitimate website and file sine they received a so-called proper response from the attacking team.[8] At the 302 error site, the attacking team directed the victims to an alternative website to download the files they wanted to, which the attacking team controlled and ran. When the victim connected to the attacking team's server, not known to their knowledge, they would start downloading the file because on the victim's screen, it shows that this site is working and they can finally download the file.[9] However, the attacking team had already found the original file from the legitimate website and modified the file to include pieces of malwares and sent the file back to the victim. When the victim clicked on the link and started downloading the file, they were already downloading a file that consisted of malwares.


In 2015, the two GitHub repositories suffered a flooded attack due to man-on-the-side attack. When a user outside of China attempts to browse a Chinese website, they are required to pass the Chinese Internet Infrastructure before automatically being directed to the website. The infrastructure allowed the request to the legitimate Chinese website the user wanted to browse to without any modifications involved. The response came back from the website, but as it passed through the Chinese Internet Infrastructure, before it could get back to the user, the response had been modified. The modification involved a malware that changed the Baidu analytics script from only accessing Baidu to the user-making request to access the two GitHub Repositories as they continued browse the website.[10] The user, who was able to continue browsing the Chinese search engine, Baidu, were innocent since they were absolutely unaware of the fact that their response involved an embedded malicious script, which would make a request to access GitHub on the side.[10] This happened to all users outside of china who was trying to seek access to a Chinese website, which resulted in extremely high volumes of requests being made to the two GitHub Repositories. The enormous load GitHub had to bear had caused the server to flood and was thus attacked.


  1. ^ a b Gallagher, Ryan; Greenwald, Glenn (12 March 2014). "How the NSA Plans to Infect 'Millions' of Computers with Malware". The Intercept. Retrieved 15 March 2014.
  2. ^ Schneier, Bruce (4 October 2013). "Attacking Tor: how the NSA targets users' online anonymity". The Guardian. Retrieved 15 March 2014.
  3. ^ Maynard, Peter; McLaughlin, Kieran (1 May 2020). "Towards Understanding Man-on-the-Side Attacks (MotS) in SCADA Networks". 17th International Conference on Security and Cryptography (SECRYPT 2020). arXiv:2004.14334. Bibcode:2020arXiv200414334M.
  4. ^ Hjelmvik, Erik (31 March 2015). "China's Man-on-the-Side Attack on GitHub". netresec.com. NetreseC. Retrieved 16 April 2020.
  5. ^ a b Mushtaq, Maria et al. 2020. "WHISPER: A Tool For Run-Time Detection Of Side-Channel Attacks." IEEE Access 8:83871-83900.
  6. ^ a b Kjaerland, Maria. 2005. "A Classification Of Computer Security Incidents Based On Reported Attack Data." Journal of Investigative Psychology and Offender Profiling 2(2):105-120.
  7. ^ "Russian Threat Group May Have Devised a 'Man-on-the-Side' Attack". Dark Reading. Retrieved 2020-11-14.
  8. ^ "GitHub DDoS Attack Traces to China". www.bankinfosecurity.com. Retrieved 2020-12-06.
  9. ^ Mozur, Paul (2015-03-30). "China Appears to Attack GitHub by Diverting Web Traffic (Published 2015)". The New York Times. ISSN 0362-4331. Retrieved 2020-12-06.
  10. ^ a b Albahar, Marwan. 2017. "Cyber Attacks And Terrorism: A Twenty-First Century Conundrum." Science and Engineering Ethics 25(4):993-1008.